Why is my domain stuck in the 'DNS Verified' state for ACM?


After enabling ACM, the status shows "DNS Verified" for more than 24 hours.


There are several reasons why this might be the case;

Rate limit reached

Our upstream certificate provider Let's Encrypt have limits in place on the number of certificate requests that can be made for a domain. They have some guidance on this here https://letsencrypt.org/docs/rate-limits/ If you are attempting to issue certificates from sources other than Heroku this may result in the limits being hit.

CAA records

Certificate Authority Authorization records on your domain can be put in place to restrict who is allowed to issue certificates. These will appear in your DNS records as CAA

For more information please see the following:

For ACM to work, Let's Encrypt would need to be added to these records if you are using CAA (this applies to the entire domain, it cannot be configured just for specific sub-domains). You can find instructions on this here: https://letsencrypt.org/docs/caa/


If you have AAAA (IPv6) records that point to a destination other than Heroku, ACM will be unable to complete. Ensure that any DNS record with multiple record types (A+AAAA, CNAME+AAAA) route to the same place.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support