Failed to create App Service Managed Certificate

Question

This is what I get after try to create managed CA again and also tried recreate the custom domain. The problem is nothing showing in my web app certificates.

Add App Service Managed Certificate

Error adding managed certificate: Properties.CanonicalName is invalid. Found a duplicate certificate with bowencyber.com available or in pending issued under serverFarmId /subscriptions/bxxxxxx-xxxx---xxxxxxx8f/resourceGroups/Red_Team/providers/Microsoft.Web/serverfarms/project1plan. Pending certificate operation id: 0373b405-fedd-4ea2-9e8d-a687878979ff, timeout: 6/15/2023 3:58:23 PM.

Successfully added custom domain: bowencyber.com. Failed to create App Service Managed Certificate for bowencyber.com due to error: Properties.CanonicalName is invalid. Found a duplicate certificate with bowencyber.com available or in pending issued under serverFarmId /subscriptions/bxxxx-xxx-xxx-xxx8f/resourceGroups/Red_Team/providers/Microsoft.Web/serverfarms/project1plan. Pending certificate operation id: 0373b405-fedd-4ea2-9e8d-a687878979ff, timeout: 6/15/2023 3:58:23 PM.

Answer 1

@Pidan , Adding to Andriy's suggestions.

Apologies, you’re experiencing this issue error while trying to add an App Service Managed Certificate (ASMC) to your App Service. As the error message indicates that there is a duplicate certificate with
the same domain name that is either available or in a pending state.

Typically, I have seen similar cases/error message occurring- anything blocking, such as an existing certificate, IP Restriction or path mapping, wait for a few hours to expire the current request and then re-try the operation.

To isolate the issue, you may try the following steps:

-Please make sure that the A record of the domain is mapped properly to the IP address of the web app. Also, make sure your web app is accessible from the public network and does not have any IP restrictions set up. 

-Based on the duplicate error message, check if there is an existing certificate with the same domain name in your App Service from your previous attempt (~pending). You can do this by navigating to the Certificates section in the Azure portal and checking if there is a certificate with the same domain name (and it’s state -e.g pending)

-The free ASMC has some limitations, please take a look.
As Andriy mentioned, the free certificate is issued by DigiCert. For some top-level domains, you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com. Reference doc.

 

Kindly let us know how it goes, I’ll follow-up with you further.

Note: Kindly do not share any PII on public forums. I have edited these info from your question.

Answer 2

Hello @Pidan

If your DNS Zone is hosted on Azure, its suggested to add a DNS Record Set.

You may use below script.

$ZoneName = 'domain'  
$ResourceGroupName = '...'  
  
$Config = @()  
$Config += New-AzDnsRecordConfig -CaaFlags 0 -CaaTag 'issue' -CaaValue 'digicert.com'  
New-AzDnsRecordSet -Name '@' -RecordType 'CAA' -Ttl 3600 -DnsRecords ($Config) -ZoneName $ZoneName -ResourceGroupName $ResourceGroupName

Some other helpful info:
https://learn.microsoft.com/en-us/answers/questions/878638/properties-canonicalname-is-invalid-found-a-duplic
https://learn.microsoft.com/en-us/answers/questions/39208/create-app-service-managed-certificates-(preview)
https://github.com/Azure/bicep/discussions/5006