[Action Recommended] Azure Managed TLS certificate has invalid DNS records.

Question

[Action Recommended] Azure Managed TLS certificate has invalid DNS records.

Ankush Gurjar 170

I got the mail from Microsoft-

What is the meaning that we have AFD Managed certificate, is any impact?

[Action Recommended] Azure Managed TLS certificate has invalid DNS records.

You are receiving this notice as a customer who has an Azure Managed TLS certificate in the Azure Front Door service with invalid DNS records.

Microsoft sent you a notice on 01 December 2023 informing you that Azure Managed certificates stored in Azure Front Door (AFD) would be automatically rotated. For details on why Microsoft is rotating these certificates, refer to the previous notice with tracking ID YLBG-DTZ.

The Azure Front Door service was unable to automatically rotate one or more of your certificates due to invalid DNS records. Customers are recommended to take action to update their certificates.

Recommended Actions

Confirm that the correct DNS CNAME is pointing to your Azure Front Door custom domain or that the required DNS TXT record exists.

Follow the guidance in the link for detailed instructions on how to do this: Domains in Azure Front Door | Microsoft Learn

Additional Support

If you have any questions or concerns, please open a support case through the Azure Portal at aka.ms/azsupt and reference tracking ID YLBG-DTZ in your case

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-12-20T07:51:58.67+00:00
@Ankush Ambadas Gurjar

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you have received a notification from Azure regarding Managed Certificates in AFD.

When you enable HTTPS on AFD custom domain, you will be required to prove ownership of the domain.

See : Azure Front Door-managed certificates for non-Azure pre-validated domains

Once this is done and the custom domain is associated with an endpoint successfully, Azure Front Door generates a certificate and deploys it.

This is Azure Managed TLS certificate.

Once the above issued certificate expires, it should be "rotated", i.e., a new certificate will be issues and deployed.

If the domain CNAME record points still directly to a Front Door endpoint or points indirectly to a Traffic Manager endpoint. Otherwise, you need to re-validate the domain ownership to rotate the certificates.

Now, you have to manually revalidate the custom domain from the AFD "Domains" Section.

See : Add a custom domain

Start from Step 3 to validate the domain

Cheers,

Kapil.
Ankush Gurjar 170 Reputation points

2023-12-21T04:38:22.8466667+00:00

Hello Kapil,

I didn't get exactly, what type of ownership required to prove ownership of the domain.

We have AFD managed certificates and validation state is approved.

Could you elaborate more exactly.

Regards

Ankush
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-12-21T04:47:30.7966667+00:00
@Ankush Ambadas Gurjar

Can you please share a screenshot of the custom domain?

Is the DNS Zone deployed in Azure or a third party?

Is it an apex/root domain?

Can you try to regenerate the

Are you able to "regenerate" the TXT record?

Cheers,

Kapil
Ankush Gurjar 170 Reputation points

2023-12-21T06:30:44.2666667+00:00

We have configured this type of settings, and not able to generate txt record.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-12-21T06:52:02.9166667+00:00
@Ankush Ambadas Gurjar

Navigate to the Front Door

Click on "Domain" from the left side

And share the screenshot as below please

I am interested in the columns "Validation state" , "Certificate state" and "DNS State"

Please share the complete message under the above columns as well
Ankush Gurjar 170 Reputation points

2023-12-21T07:38:26.1966667+00:00

Hello,

All certificates from AFD are same as shown in screenshot.
Ankush Gurjar 170 Reputation points

2023-12-21T08:59:30.8166667+00:00

@kapil

is this alert regarding only those who are using Azure managed DNS?

Regards
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-12-21T10:01:03.48+00:00

@Ankush Ambadas Gurjar

From the portal, it appears your AFD Custom Domain is validated and the certificate is not yet expired. (we can see it still has 133 days until expiration/rotation).

The alert is regarding AFDs using Azure managed TLS certificate and not Azure managed DNS.

However, since we cannot see any issues related to the certificate (the certificate still being valid) , I'd suggest you to reach out to Azure Support with the tracking ID to understand if this Alert was a false-positive or there is some other issue.

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Cheers,

Kapil
Arturo Sánchez Pineda 17 Reputation points

2023-12-22T11:18:45.0466667+00:00

Hi!

Other users got the same email. The Certificates are, in fact, valid. Can you please confirm here that it was a false-positive?

Thanks and cheers,

Arturo

1 answer

Your answer

KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-12-20T07:51:58.67+00:00

@Ankush Ambadas Gurjar

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you have received a notification from Azure regarding Managed Certificates in AFD.

When you enable HTTPS on AFD custom domain, you will be required to prove ownership of the domain.

See : Azure Front Door-managed certificates for non-Azure pre-validated domains

Once this is done and the custom domain is associated with an endpoint successfully, Azure Front Door generates a certificate and deploys it.

This is Azure Managed TLS certificate.

Once the above issued certificate expires, it should be "rotated", i.e., a new certificate will be issues and deployed.

If the domain CNAME record points still directly to a Front Door endpoint or points indirectly to a Traffic Manager endpoint. Otherwise, you need to re-validate the domain ownership to rotate the certificates.

Now, you have to manually revalidate the custom domain from the AFD "Domains" Section.

See : Add a custom domain

Start from Step 3 to validate the domain

Cheers,

Kapil.
Ankush Gurjar 170 Reputation points

2023-12-21T04:38:22.8466667+00:00

Hello Kapil,

I didn't get exactly, what type of ownership required to prove ownership of the domain.

We have AFD managed certificates and validation state is approved.

Could you elaborate more exactly.

Regards

Ankush
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-12-21T04:47:30.7966667+00:00

@Ankush Ambadas Gurjar

Can you please share a screenshot of the custom domain?

Is the DNS Zone deployed in Azure or a third party?

Is it an apex/root domain?

Can you try to regenerate the

Are you able to "regenerate" the TXT record?

Cheers,

Kapil
Ankush Gurjar 170 Reputation points

2023-12-21T06:30:44.2666667+00:00

We have configured this type of settings, and not able to generate txt record.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-12-21T06:52:02.9166667+00:00

@Ankush Ambadas Gurjar

Navigate to the Front Door

Click on "Domain" from the left side

And share the screenshot as below please

I am interested in the columns "Validation state" , "Certificate state" and "DNS State"

Please share the complete message under the above columns as well
Ankush Gurjar 170 Reputation points

2023-12-21T07:38:26.1966667+00:00

Hello,

All certificates from AFD are same as shown in screenshot.
Ankush Gurjar 170 Reputation points

2023-12-21T08:59:30.8166667+00:00

@kapil

is this alert regarding only those who are using Azure managed DNS?

Regards
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-12-21T10:01:03.48+00:00

@Ankush Ambadas Gurjar

From the portal, it appears your AFD Custom Domain is validated and the certificate is not yet expired. (we can see it still has 133 days until expiration/rotation).

The alert is regarding AFDs using Azure managed TLS certificate and not Azure managed DNS.

However, since we cannot see any issues related to the certificate (the certificate still being valid) , I'd suggest you to reach out to Azure Support with the tracking ID to understand if this Alert was a false-positive or there is some other issue.

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Cheers,

Kapil
Arturo Sánchez Pineda 17 Reputation points

2023-12-22T11:18:45.0466667+00:00

Hi!

Other users got the same email. The Certificates are, in fact, valid. Can you please confirm here that it was a false-positive?

Thanks and cheers,

Arturo

Answer 1

Hi @Ankush Ambadas Gurjar , Arturo Sanchez

I got a confirmation from our Product Team that users can ignore this alert as long as the certificates are valid (not yet expired).

To check this,

Navigate to the Front Door
Click on "Domain" from the left side
Please check the columns "Validation state" , "Certificate state" and "DNS State" to make sure the certificate is valid.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

[Action Recommended] Azure Managed TLS certificate has invalid DNS records.

1 answer

Your answer