Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
691 questions
Container App custom domain managed certificate is not trusted - Intermediate certificate chain is incorrect
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 71%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Steve Mandras
41
Reputation points
We use site24x7 to monitor the health of a number of SSL certificates across our enterprise. As we migrate from dedicated nginx servers to container apps for these UIs, we use custom domains within the container app settings. site24x7 is resporting that the managed certificate we installed for a container app (which was successfully added and verified and secured and seems to work correctly) is not trusted. Furthermore, SSL labs is also showing "Incorrect order". See atached redacted screenshots for further info. Any ideas? Would hate to have to go down the path of BYO certificates. Any ideas?
Azure Container Apps
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 39%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator2025-04-09T19:58:16.71+00:00 Hello Steve Mandras,
Thanks for reaching out could you please provide the below details to troubleshoot the issue further.
- What were the exact steps you followed to configure the custom domain and managed SSL certificate in your container app platform? Were there any specific options or settings related to intermediate certificates or the SSL certificate chain that you selected?
- Could you share the full SSL Labs report (or at least the certificate chain analysis section) for your domain, particularly highlighting the certificate order and any chain or trust errors? Additionally, what specific issues are end-users or applications experiencing in relation to the SSL certificate?
-
Steve Mandras 41 Reputation points
2025-04-10T13:21:24.6233333+00:00 - Open container app, go to settings blade, custom domain, add custom domain, select managed certificate, put in website as CNAME record, copied records and added to our domain registrar. In a couple of minutes the custom domain was secured.
- If you could open a private chat, I will provide the full SSL Labs report. No issues accessing from end-users, application is working fine, and browsers show that the certificate is valid. When monitoring with site24x7 for SSL health, that's where we are seeing the error.
-
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator
2025-04-10T17:55:05.7233333+00:00 Hello Steve Mandras,
Thanks for your patience, could you please check the private message and send the request details to troubleshoot the issue further.
Here is the reference link on how to access & data retention policy of private messages in Microsoft Q&A.
-
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator
2025-04-12T00:02:21.72+00:00 Hello Steve Mandras,
Thanks for sharing details over private message we have checked the logs from the backend and it looks like the error not originating from the container app end. We have looked into the SSL labs forums and found couple of errors which reports the same - Incorrect order, Contains anchor Chain issues Incorrect order which is caused due to bad order in the certificate.
So, we request you to post a question on the https://www.site24x7.com/community/newtopic as well seeking guidance as we do not see any SSL errors from Container Apps end.
-
Steve Mandras 41 Reputation points
2025-04-12T17:00:40.22+00:00 Sorry I can't accept this answer. This is an Azure managed certificate service- we simply put the information that Azure tells us to put into our domain registrar and Azure generates the certificate. And the certificate is in the wrong order, even according to SSL Labs. This is not a site24x7 issue, they are just monitoring the health and validity of our certificates.
-
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator
2025-04-14T23:27:13.9666667+00:00 Hello Steve Mandras,
We really appreciate your efforts and sharing the additional information, could you please confirm if you have followed the steps outlined in the document below and validated accordingly? -
Steve Mandras 41 Reputation points
2025-04-15T16:00:23.2466667+00:00 No, we are using these instructions for Azure managed certificates
https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-managed-certificates?tabs=general&pivots=azure-portal -
Steve Mandras 41 Reputation points
2025-04-15T16:18:25.2666667+00:00 Question- do we need to add an A record for the apex domain AND a CNAME for the actual website URL in the container app's custom domain blade?
-
Steve Mandras 41 Reputation points
2025-04-15T17:38:00.4933333+00:00 Just cleared up the above question- our apex domain is registered and some of the subdomains are used at different service providers. The subdomain we are adding to the container app's custom domain would have to be a CNAME pointing to the external-facing container app URL. We followed the instructions step by step in the last link I posted above.
-
Steve Mandras 41 Reputation points
2025-04-15T21:32:39.81+00:00 We just followed these directions verbatim:
https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-managed-certificates?tabs=general&pivots=azure-portal
and added a second custom domain to the same container app. Same result. -
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator
2025-04-15T22:55:59.05+00:00 Hello Steve Mandras,
We are suspecting that there could be an issue with Certificate generated through Azure Container apps. It appears that the intermediate certificate chain might be missing some details from the generated certificate. We have an open bug reported with the Container apps team around this managed certificate issue. Can you please try creating the certificate through a Key vault - Get started with Key Vault certificates and access the generated certificate in the container apps - Import certificates from Azure Key Vault to Azure Container Apps to see if this addresses your concern.
-
Steve Mandras 41 Reputation points
2025-04-16T15:27:33.0866667+00:00 Thanks Loknathsatyasaivarma. As I mentioned earlier, everything is working correctly. The cert shows that it is valid in browsers. We have no problems connecting to the service with the custom domain. However, our environment monitoring platform is flagging this SSL cert as having an incorrect order. I'm glad you've identified a potential bug with the managed certificate generation in container apps. We temporarily disabled "trust certification path" in our monitoring platform, se we have a workaround. Please see private message.
-
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator
2025-04-16T21:30:11.7966667+00:00 Hello Steve Mandras,
Could you please check the private message.
-
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator
2025-04-17T23:13:49.0366667+00:00 Hello Steve Mandras,
We have escalated your concern to the Container App Product team and waiting for their feedback. Once we receive any information, we will update you accordingly.
Sign in to comment
Sign in to answer