How to deploy App Service with managed SSL certificate using Bicep

Remco Hooijer 20 Reputation points
2023-03-28T18:44:36.0333333+00:00

There is a bug in deploying a Azure Web App with a custom domain and Managed SNI SSL. You can't deploy this with Bicep without the hostname already there, however adding a hostname with SNI SSL requires the Cert Thumbprint. Creating a chicken/egg problem.

The code below generates the following error:

Hostname for which you are requesting certificate is not added to this webapp. Recommended Action Please add the hostname to the webapp and then try creating certificate.

param webApp string
param env string
param customDomainName string
param location string = resourceGroup().location // Location for all resources
param serverFarmId string
param webAppName string = '${webApp}-${env}-app'

// Create certificates for hostname 
resource certificates 'Microsoft.Web/certificates@2022-03-01' = {
  name: customDomainName
  location: location
  properties: {
    canonicalName: customDomainName
    serverFarmId: serverFarmId
  }
}

resource customDomainSsl 'Microsoft.Web/sites/hostNameBindings@2022-03-01' = {
  name: '${webAppName}/${customDomainName}'
  properties: {
    siteName: webAppName
    hostNameType: 'Verified'
    sslState: 'SniEnabled'
    thumbprint: certificates.properties.thumbprint
    customHostNameDnsRecordType: 'A'
  }  
}
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,019 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,785 questions
{count} votes

Accepted answer
  1. Ali Sufyan Butt 86 Reputation points MVP
    2023-04-13T12:18:46.5833333+00:00

    One potential solution could be to create the custom domain hostname binding first, without SSL, and then add the SSL binding using a subsequent deployment step. This would allow you to add the hostname to the webapp before creating the certificate, thereby avoiding the chicken/egg problem.


1 additional answer

Sort by: Most helpful
  1. Ali Sufyan Butt 86 Reputation points MVP
    2023-04-13T12:19:21.55+00:00

    Another solution could be to use an existing SSL certificate, rather than creating a new one. This would require you to retrieve the certificate thumbprint and use it in the Bicep code to create the Microsoft.Web/sites/hostNameBindings resource type. Not sure it will work, I hope it does


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.