Is it possible to add a Front Door managed certificate using DNS verification?

SHM 171 Reputation points
2021-05-15T11:58:56.503+00:00

I've added a custom domain (xyz.contoso.com) to my Front Door (xyz.azurefd.net). Since it's already live and pointing directly to an AppService, I've used the process of creating a CNAME from afdverify.xyz.cotoso.com to xyz.azurefd.net ([1]). Before pointing xyz.contoso.com to xyz.azurefd.net, I'm also setting up the FrontDoor managed SSL certificate. Is it correctly understood from [2] and [3], that if I want to avoid downtime and have the certificate issued before doing the actual switch-over, the only possibility is using the WHOIS process where a confimation email is sent to the contact person in the WHOIS records? Is there no way of having the Front Door managed SSL certificate issued using a DNS based verification process?

My problem is that I have now tried with two different domains, and only for one of them, I've received the confirmation email. I've ensure that the following emails exist, [admin|administrator|webmaster|hostmaster|postmaster]@keyman .com and admin@digicert.com has been added to our allow-list. I know that the documentation states that support should be contact if no email is received within 24 hours, but this process ....

  • is not very CICD friendly
  • is slow, especially if support has to be involved
  • is quite cumbersome helping customers setting this up, since it requires us to dig into their specific WHOIS setup

Have I overlooked something regarding the DNS verification actually being possible?

Thanks,

[1] https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain#map-the-temporary-afdverify-subdomain
[2] https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https
[3] https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https#custom-domain-is-not-mapped-to-your-front-door

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
692 questions
{count} vote

Accepted answer
  1. RaviVarmanMSFT 626 Reputation points Microsoft Employee
    2021-05-31T10:42:42.737+00:00

    @cvationshm

    Currently Front Door managed SSL certificate issued using a DNS based verification process is not in place yet.

    Custom domain validation is an important security measure before we all you to add the custom domain. Yes, it is not very CICD friendly as you need to prove control over the domains before DigiCert issues your certificate. Involving support is not every time when you add custom domain its specific case to case basis.

    DigiCert CA validates ownership of your domain by contacting its registrant, according to the domain's WHOIS registrant information. Contact is made via the email address (by default) or the phone number listed in the WHOIS registration. If the WHOIS registrant information is private, verify that you can approve directly from one of the following addresses:

    admin@<your-domain-name.com>
    administrator@<your-domain-name.com>
    webmaster@<your-domain-name.com>
    hostmaster@<your-domain-name.com>
    postmaster@<your-domain-name.com>

    If you are using a spam filter, add admin@digicert.com to its allowlist.

    Common Issues when you don’t receive Email for verification.

    Constructed email address:

    • Ensure that your constructed email address account/alias for the following addresses: admin, administrator, webmaster, hostmaster, and or postmaster @<your-domain-name.com> has been properly configured. Test the constructed email address by sending an email to it from a known-working email account.

    You may not be getting the validation email at this address because the account has not been set up yet or has been set up improperly.

    • Check your junk mail and spam folders – email clients often mistake the domain validation email for junk mail/spam.

    • Ensure that your firewall or email security appliance did not block the email or place it in quarantine.

    WHOIS-based Email Addresses:

    • Check any junk mail/spam folders.

    • Have validation email recipients (domain contacts) check their junk mail/spam folders – email clients often mistake the domain validation email for junk mail/spam.

    • Ensure that your firewall or email security appliance did not block the email or place it in quarantine.

    • Contact your domain registrar/register to ensure they are not masking or hiding your domain contact information.

    • Are you expecting to receive an email at an address published in your domain’s WHOIS record? Please verify that your registrar is not masking or hiding your domain contact information.

    • Is your registrar/register masking or hiding your contact information? Check to see if they provide a way (an anonymized email or a web form) for CAs to access the domain’s WHOIS data.

    • For the most efficient validation process, let your registrar know that you want them to either use your full published records or an anonymized email address for your domains. Using these options will ensure minimal-to-no-impact on validation processes.

    Hope this was helpful. Please let us know in case of any additional questions or concerns.
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.