Why is my domain stuck in the 'Waiting' state for ACM?

Issue

One or more of your domains are stuck in the Waiting state after either enabling Automated Certificate Management (ACM) or adding/removing a domain from your application after ACM had already been enabled.

This typically means you've run into a rate limit. Let's Encrypt enforces a limit of 5 certificate issues over a 7 day window for any given list of domains. You can run into this limit by doing any of the following:

  • Running heroku certs:auto:refresh many times in a row.
  • Clicking the "Refresh status" button in the SSL section of the dashboard many times in a row.
  • Adding or removing domains repeatedly.
  • Enabling/disabling ACM for your application several times.

Resolution

Try waiting for a day or two and run a single heroku certs:auto:refresh, or by clicking the 'Refresh Status' button on the Dashboard for your app. If you still run into this problem, contact support rather than trying to resolve it by performing any of the above actions. We also recommend against enabling/disabling ACM as a troubleshooting step because this resets our internal rate limit which could result in you hitting Let's Encrypt's limit, which means you would have to wait for a week to try again.