SSL certificate verification fails when setting up AWS Route53 as a secondary DNS provider for a subdomain

Hi!

We’re using Cloudflare DNS for our domain (example.com). We want to set up AWS Route 53 as a secondary DNS provider for a subdomain (images.example.com), and we also want to create an ACM certificate for that domain.

I did the following:

  1. Created a Route 53 hosted zone for the subdomain.
  2. Created NS records in Cloudflare with the name images and the values of the hosted zone’s name servers.
  3. Requested a certificate in ACM for the subdomain.
  4. Created the required CNAME record for the certificate in the hosted zone.

This works well with many domains (their primary DNS provider is also Cloudflare DNS), except for one specific (example.com). I think something in the example.com’s Cloudflare setting blocks the validation. But I have no idea what it is.

Can anyone help?