Issue
After enabling ACM, the status shows "DNS Verified" for more than 24 hours.
Resolution
There are several reasons why this might be the case
Rate limit reached
Our upstream certificate provider LetsEncrypt have limits in place on the number of certificate requests that can be made for a domain. They have some guidance on this here https://letsencrypt.org/docs/rate-limits/ If you are attempting to issue certificates from sources other than Heroku this may result in the limits being hit.
CAA records
Certificate Authority Authorization records on your domain can be put in place to restrict who is allowed to issue certificates. These will appear in your DNS records as CAA
For more information please see the following:
- https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
- https://support.dnsimple.com/articles/caa-record/
For ACM to work, Let's Encrypt would need to be added to these records if you are using CAA (this applies to the entire domain, it cannot be configured just for specific sub-domains). You can find instructions on this here: https://letsencrypt.org/docs/caa/