Issue
After enabling ACM, the status shows "DNS Verified" for more than 24 hours.
Resolution
There are several reasons why this might be the case;
Rate limit reached
Our upstream certificate provider Let's Encrypt have limits in place on the number of certificate requests that can be made for a domain. They have some guidance on this here https://letsencrypt.org/docs/rate-limits/ If you are attempting to issue certificates from sources other than Heroku this may result in the limits being hit.
CAA records
Certificate Authority Authorization records on your domain can be put in place to restrict who is allowed to issue certificates. These will appear in your DNS records as CAA
For more information please see the following:
- https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
- https://support.dnsimple.com/articles/caa-record/
For ACM to work, Let's Encrypt would need to be added to these records if you are using CAA (this applies to the entire domain, it cannot be configured just for specific sub-domains). You can find instructions on this here: https://letsencrypt.org/docs/caa/
IPv6
If you have AAAA (IPv6) records that point to a destination other than Heroku, ACM will be unable to complete. Ensure that any DNS record with multiple record types (A+AAAA, CNAME+AAAA) route to the same place.