Why is my domain stuck in the 'DNS Verified' state for ACM?

Issue

After enabling ACM, the status shows "DNS Verified" for more than 24 hours.

Resolution

There are several reasons why this might be the case

Rate limit reached

Our upstream certificate provider LetsEncrypt have limits in place on the number of certificate requests that can be made for a domain. They have some guidance on this here https://letsencrypt.org/docs/rate-limits/ If you are attempting to issue certificates from sources other than Heroku this may result in the limits being hit.

CAA records

Certificate Authority Authorization records on your domain can be put in place to restrict who is allowed to issue certificates. These will appear in your DNS records as CAA

For more information please see the following:

For ACM to work, Let's Encrypt would need to be added to these records if you are using CAA (this applies to the entire domain, it cannot be configured just for specific sub-domains). You can find instructions on this here: https://letsencrypt.org/docs/caa/