DEV Community


Generating ACM certificates for a Vercel-managed domain.

wulfmann profile image Joseph Snell ・2 min read

When you use Vercel to manage your DNS records, they generate SSL certificates for you.

I want to manage my DNS with Vercel, but still need an ACM Certificate in my AWS account. I've done this before with Route 53, but with Vercel I kept seeing mysterious failures.

After trying Email Validation, I switched to DNS Validation. I still got errors, but this time I got more information:

The status of this certificate request is "Failed". One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error.

After googling around, I found this note:

One or more domain names have failed validation due to a Certification Authority Authentication (CAA) error, check your CAA DNS records..

After going back to my domain in the Vercel dashboard, I found this record:

CAA 0 issue ""

Since there is no CAA Record allowing amazon to issue certificates, the request fails.

AWS provides documentation on how to configure a CAA record to allow ACM to generate certs. We need to add an extra record in Vercel:

CAA 0 issue ""

Request a new ACM cert and this time it succeeds!


Editor guide