Static website custom domain missing SSL

Question

Greetings,

I have a storage account with a static website deployed that sits behind a vnet and I am trying to add a custom domain name for it. I have added the CNAME record in my DNS zone, however whenever I try to open it I receive an error saying the certificate is only valid for the auto-generated static website domains of type *.web.z6.web.core.windows.net/. From what I read the cert should get generated automatically. If I use the auto-generated domain it resolve fine and opens the static site.

Here is a part of the error:

Error code: SSL_ERROR_BAD_CERT_DOMAIN

NET::ERR_CERT_COMMON_NAME_INVALID

 

Unable to communicate securely with peer: requested domain name does not match the server’s certificate. HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Am I missing a step or something else along the way ?

Thanks,
Dimitar

Answer 1

@Dimitar Grozev

Thank you for reaching out.

I understand that you have a storage account with a static website that sits behind a vnet and you are trying to add a custom domain name for it.

As documented here in order to custom domain with HTTPS enabled you have to use Azure Front Door (preferred) or Azure CDN.

You can follow the documentation here if choose to use Azure Front Door which is the recommended service here.

If I may, based on your statement above.

From what I read the cert should get generated automatically.

As documented here This holds true for Azure Static Web Apps but for static websites hosted on Azure Storage you need to use the method above to enable HTTPS.

Please let me know if I have misunderstood your question and we will gladly continue with our discussion. Thank you!

Answer 2

Hello Dimitar Grozev,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

Sequel to your questions, I understand that you are facing an SSL certificate validation error when attempting to access Azure Storage Account static website using a custom domain. Despite correctly configuring the DNS records and ensuring that the SSL certificate is automatically generated by Azure, you are unable to resolve the issue.

Scenario

Dimitar has set up a static website on an Azure Storage Account and he’s trying to reach it through a custom domain name. He’s done his part by adding a CNAME record in his DNS zone, linking the custom domain to the endpoint of the Azure Storage Account. Normally, Azure should automatically create an SSL certificate for the custom domain. But, when Dimitar attempts to visit the website via the custom domain, he’s met with an SSL certificate validation error. The error message suggests that the SSL certificate the server is presenting doesn’t align with the domain name being accessed. Even though he’s followed the suggested steps, Dimitar can’t seem to fix the issue and is looking for help to troubleshoot this SSL certificate validation error.

Solution

This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement.

There are two things:

1. If you're hosting a static website on an Azure Storage Account and want to use a custom domain with SSL, you would typically need to use a Content Delivery Network (CDN) service. Read for more clarification: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website and https://stackoverflow.com/questions/61662502/enabling-https-for-a-azure-blob-static-website
2. If you're using Azure Static Web Apps, free SSL/TLS certificates are automatically created for the auto-generated domain name and any custom domains you may add. Read more for clarification: https://learn.microsoft.com/en-us/azure/static-web-apps/custom-domain and https://learn.microsoft.com/en-us/azure/static-web-apps/custom-domain-azure-dns?source=recommendations

Finally

If you are configuring the right as stated in the number 2 above. You can use Azure CLI to configure the below:

• Get the SSL Certificate Thumbprint

Verify SSL Certificate Configuration

• Bind SSL Certificate

# Set variables
resourceGroupName="<your-resource-group-name>"
webappName="<your-webapp-name>"
# Get SSL certificate thumbprint
sslCertificateThumbprint=$(az webapp config ssl list --resource-group $resourceGroupName --name $webappName --query "[0].thumbprint" --output tsv)
echo "SSL Certificate Thumbprint: $sslCertificateThumbprint"
# Verify SSL certificate configuration
sslCertificate=$(az webapp config ssl show --resource-group $resourceGroupName --name $webappName --thumbprint $sslCertificateThumbprint)
echo "SSL Certificate Configuration: $sslCertificate"

# After verifying SSL thumbprint and copied 
# Set variables
resourceGroupName="<your-resource-group-name>"
webappName="<your-webapp-name>"
thumbprint="<your-ssl-thumbprint>"

# Bind SSL certificate to the web app
az webapp config ssl bind \
    --name $webappName \
    --resource-group $resourceGroupName \
    --certificate-thumbprint $thumbprint \
    --ssl-type SNI

Use the above in Azure CLI and provide respective value

• Update DNS Records

Everything should work fine.

References

Read more additional resources provided by the right side of this page.

Also, check through the links provided in the solution.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam