I can't use ACM to issue a certificate for a subdomain I manage with Vercel

I manage the domain blackbuck.jp with Vercel.
I want to manage the subdomain api.blackbuck.jp with AWS Route53.
So I created a hosted zone for api.blackbuck.jp in Route 53 and obtained the following records.

Record name, type, value/traffic routing destination
api.blackbuck.jp, NS, [ns-.awsdns-45.net, ns-.awsdns-35.com, ns-.awsdns-57.co.uk, ns-.awsdns-45.org]
api.blackbuck.jp, SOA, ns-.awsdns-45.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

For the above records, I added four NS records to the www.blackbuck.jp domain on Vercel.

Next, I went to the AWS Certificate Manager (ACM) console and requested a certificate for api.blackbuck.jp, which gave me the following CNAME record.

Domain, Type, CNAME name, CNAME value
api.blackbuck.jp, CNAME, .api.blackbuck.jp, .acm-validations.aws.

The certificate request status was initially “successful” but then quickly changed to “failed”.

A CNAME record was added to the www.blackbuck.jp domain of Vercel for the above record.

Details about the ACM “failure” were also listed on the following page.
https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html

Based on the information on the above page, the following CAA record was added to the www.blackbuck.jp domain of Vercel.
Name, Type, Value, TTL
api, CAA, 0 issue “amazon.com”, 60

When this record was added, the following record was automatically added.
Name, Type, Value, TTL
api, CAA, 0 issue “letsencrypt.org”, 60

After performing this operation, I went back to the ACM console and requested a certificate for api.blackbuck.jp, but it returned a “failed” result.

Currently, when I use the nslookup command, I get the following result:

> nslookup -type=any blackbuck.jp

Server:  Archer
Address:  192.168.0.1

Non-authoritative answers:
blackbuck.jp    internet address = 76.76.21.22
blackbuck.jp    internet address = 76.76.21.93
blackbuck.jp    nameserver = ns2.vercel-dns.com
blackbuck.jp    nameserver = ns1.vercel-dns.com
blackbuck.jp
        primary name server = ns1.vercel-dns.com
        responsible mail addr = hostmaster.nsone.net
        serial  = 1725093037
        refresh = 43200 (12 hours)
        retry   = 7200 (2 hours)
        expire  = 1209600 (14 days)
        default TTL = 600 (10 mins)
blackbuck.jp    HINFO CPU = RFC8482
ns2.vercel-dns.com      internet address = 198.51.45.13
ns1.vercel-dns.com      internet address = 198.51.44.13
> nslookup -type=ns api.blackbuck.jp

Server:  Archer
Address:  192.168.0.1

Non-authoritative answers:
api.blackbuck.jp        nameserver = ns-<number>.awsdns-45.org
api.blackbuck.jp        nameserver = ns-<number>.awsdns-57.co.uk
api.blackbuck.jp        nameserver = ns-<number>.awsdns-35.com
api.blackbuck.jp        nameserver = ns-<number>.awsdns-45.net
> nslookup -type=caa api.blackbuck.jp

unknown query type: caa
Server:  Archer
Address:  192.168.0.1

*** There are no available internal type for both IPv4 and IPv6 Addresses (A+AAAA) records for api.blackbuck.jp
> nslookup -type=cname api.blackbuck.jp

Server:  Archer
Address:  192.168.0.1

api.blackbuck.jp
        primary name server = ns-<number>.awsdns-45.net
        responsible mail addr = awsdns-hostmaster.amazon.com
        serial  = 1
        refresh = 7200 (2 hours)
        retry   = 900 (15 mins)
        expire  = 1209600 (14 days)
        default TTL = 86400 (1 day)
Deployment URL or Custom Domain: blackbuck.jp, api.blackbuck.jp
Project Framework: Next.js 14

Hi, @raithend! Welcome to the Vercel Community :smile:

I’m by no means any expert in domains, but happy to help! I did some digging and found the following changes you should make:

  • DNS Delegation: You’ve correctly created a hosted zone for api.blackbuck.jp in Route 53 and obtained the NS records. However, these NS records should be added to the parent domain (blackbuck.jp) in Vercel’s DNS settings, not to www.blackbuck.jp

  • CNAME Record: The CNAME record for ACM validation should be added to the Route 53 hosted zone for api.blackbuck.jp, not to Vercel’s DNS settings for www.blackbuck.jp

  • CAA Records: The CAA records should be added to the apex domain (blackbuck.jp) in Vercel’s DNS settings, not to api.blackbuck.jp

Could you let us know how you get on?

Thank you for your reply.
I followed the method you instructed and was able to issue a certificate with ACM without any problems !
Thank you for your assistance !

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.