Azure Front door automatic certificate renewal

zveratko 0

I'm facing some issues with cert renewal. Current setup is:


DNS ZONE test.app

  dev NS record to dev.test.app

DNS ZONE dev.test.app

  @   A record to FD

  api CNAME record to FD

Seems like Frontdoor is facing some issues when regenerating certificate and we need to resolve them manually.

First issue for me is that it looks like we need to revalidate DNS zone everytime the cert is being updated. There is something regarding validation here which I am not sure I can interpret properly. It looks like pre-validated domain can regenerate the cert automatically, but for all others(Azure DNS zones) included the step of TXT entry renewal is manually needed. In another place they stated that already added CNAME for the domain is enought and no validation is needed, but I don't have it for top level, should i create that entry in parent DNS or what?

Second issue is that I cannot create CNAME for @ in dev.test.app, which maybe is describe here, but I don't get it.

Does anyone have some proper experience with setting the Front Door properly? Somehow it is working for me, but I need automatic cert renewal of dev.test.app and api.dev.test.app.

Sina Salam 7,286 Reputation points

2024-06-04T13:08:38.1266667+00:00
Hello zveratko,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

I understand that you are experiencing issues with the automated renewal of SSL certificates for Azure Front Door due to DNS validation requirements. You also need to understand the correct setup for DNS records to enable automatic renewal without manual revalidation each time the certificate is updated and also facing challenges with configuring CNAME records for the root domain (@) in the DNS zone and seeking a reliable solution for this limitation.

Solution

This recommended solution was crafted based on the provided scenario in your inquiries.

There are three major issues:

DNS Zone Revalidation for Certificate Renewal

How to create CNAME for Root Domain.

Automatic Certificate Renewal

To solve the issues and questions regarding Azure Front Door's certificate renewal and DNS configuration, you will need to do the followings:

Firstly about dev.test.app (Root Domain) look for A record to modify or add an A record for the root domain pointing to the Azure Front Door IP address. @ A <Front Door IP Address>

Then, during the initial setup or when Azure Front Door prompts for revalidation, add the provided TXT record for DNS validation. _acme-challenge.dev.test.app TXT <Validation Token Provided by Azure>

After you have done the above, for your api.dev.test.app (Subdomain), *modify the CNAME Record by *adding a CNAME record pointing to the Azure Front Door endpoint. api CNAME <Front Door Endpoint>

The above will ensure proper DNS configuration.

Secondly, to automate DNS Validation for Certificate Renewal.

Ensure that the domain is pre-validated by Azure Front Door to enable automatic renewal.

Check if the domain is marked as validated in the Azure Front Door custom domain settings.

To do this:

Go to your Azure Front Door profile in the Azure portal.

Navigate to "Frontend hosts" and add your custom domain (dev.test.app).

During the custom domain addition, Azure will provide a TXT record for domain validation.

Note the TXT record details.

Go to your DNS provider's management portal.

Add the TXT record to your DNS zone (dev.test.app).

Return to Azure Front Door and verify the domain.

Once verified, Azure Front Door should mark the domain as validated, allowing automatic certificate renewals.

Thirdly, in handling CNAME for Root Domain, you will need to understand that DNS specifications do not allow CNAME records at the root level, so you will have to use an A record instead, pointing directly to the IP address of Azure Front Door. Except you are using a provider that supports alias records (like AWS Route 53), use an alias record to point to Azure Front Door.

Finally, check out the proper configuration I listed above in the first steps to ensure proper DNS configuration and automate the certificate renewal process for your Azure Front Door setup. This will minimize manual intervention and ensure consistent security for your domains.

Reference

Learn about custom domains when using Azure Front Door: Domains in Azure Front Door.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
Martin Wortner 1 Reputation point

2024-06-24T10:12:43.41+00:00

Why not to get rid of the Apex. And create just two entries:

dev.test.app

api.dev.test.app

both into test.app domain? This will solve my problem. Unfortunatelly we need the test.app domain to be separated so in our particular case we cannot add CNAME dev. to test.app domain. I do not see any other way.

1 answer

KapilAnanth-MSFT 41,156 Reputation points Microsoft Employee

2024-06-05T17:56:13.0433333+00:00
@zveratko ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

#1You have a domain named "dev.test.app" delegated to Azure.

This means, "dev.test.app" is called Apex domain or Root domain

Please follow : Onboard a root or apex domain to Azure Front Door to add ALIAS record pointing "dev.test.app" to "FDEndPoint1" on how to configure custom domains

For Apex domains, Azure managed certificates are not automatically rotated.

See : managed TLS certificates

Also see: AFD-managed TLS certificate rotation - How to rotate/renew

This is nothing but regenerating the TXT value and adding it to the DNS Zone

#2The domain "api.dev.test.app" is not an Apex domain,

It is just a CNAME record under the domain "dev.test.app"

So the process is straight forward : Configure a custom domain on Azure Front Door

The subdomains certificates are rotated automatically as long as the CNAME record is still pointing to "FDEndPoint2"

See : managed TLS certificates

Hope this helps.

Cheers,

Kapil
Please sign in to rate this answer.
zveratko 0 Reputation points

2024-06-18T09:49:58.76+00:00

So there is no way to recreate certificate automatically? Is there any way to use some kind of script to renew? Just now I am investigating az afd custom-domain regenerate-validation-token, but to no avail. Getting strange error - Message: Property 'AfdDomainEntityKey.AfdDomainName' cannot be set to 'dev.test.app'. If the token will be updated will then the automatic regeneration work for apex domain?

KapilAnanth-MSFT 41,156 Reputation points Microsoft Employee

2024-06-18T11:42:37.3133333+00:00

@zveratko ,

The command az afd custom-domain regenerate-validation-token only regenerates the TXT value.

It does not update the DNS entries if not done via Portal.

For the "dev.test.app" endpoint, you should revalidate the domain

For Scripting,

You can use Update-AzFrontDoorCdnCustomDomainValidationToken command to update the TXT value

Get-AzFrontDoorCdnCustomDomain to get the newly generated token value

And update the DNS value to your DNS Provider

For Azure DNS, see : Create a new DNS record

Once the DNS update takes place, you can expect the state to became "Validated" once again in 10 minutes.

Hope this helps

Cheers,

Kapil

zveratko 0 Reputation points

2024-06-19T05:13:38.3466667+00:00

So there is no way to recreate certificate automatically? Is there any way to use some kind of script to renew? Just now I am investigating az afd custom-domain regenerate-validation-token, but to no avail. Getting strange error - Message: Property 'AfdDomainEntityKey.AfdDomainName' cannot be set to 'dev.test.app'. If the token will be updated will then the automatic regeneration work for apex domain?

KapilAnanth-MSFT 41,156 Reputation points Microsoft Employee

2024-06-19T05:31:35.7033333+00:00

@zveratko ,

Please refer to my pervious comment on how you can create a script for this.

Wrt, "If the token will be updated will then the automatic regeneration work for apex domain?"

If you could automate the token regeneration
AND

if you could update the newly generated token (TXT Value) in your DNS Provider

Yes, the validation would go through and new certificate would be generated (rotation would be successful)

Try using the Powershell command,
Update-AzFrontDoorCdnCustomDomainValidationToken -CustomDomainName <String> -ProfileName <String> -ResourceGroupName <String>

Cheers,

Kapil

zveratko 0 Reputation points

2024-06-19T06:36:00.9633333+00:00

Sorry for posting twice, the comments are somehow collapsed by default. This PS command is equivalent of the AZ CLI one I posted right? I get the solution, but I must say it is really cumbersome. We are using Bicep to create the initial records, I'm really interested how I would re-run the deployment just to replace one TXT entry.

KapilAnanth-MSFT 41,156 Reputation points Microsoft Employee

2024-06-19T08:14:43.4366667+00:00

I understand, however, currently the product limitation is that manual intervention is required for certificate rotation in an Apex domain.

And this feedback has been shared in Azure Feedback Hub : Azure Front Door Standard/Premium support of automatic managed certificates renewal on APEX domain

You can upvote this and track this page for updates on when this is will be generally available.

Wrt, "This PS command is equivalent of the AZ CLI one I posted right?"

Yes

Wrt, "I'm really interested how I would re-run the deployment just to replace one TXT entry."

I don't understand why you would have to re-run the deployment in the first place

The deployment would create a custom domain with a Validation Token

Bicep is idem potent and so if you re-deploy, the custom domain would not be updated unless and until you change some property (which you would not)

Just run the Powershell commands to

Regenerate the Validation Token

Get the Token value

Add it to the DNS Zone

Hope this helps.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Sign in to comment

Share via

Azure Front door automatic certificate renewal

Problem

Solution

Reference

Accept Answer

1 answer