Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,974 questions
How can I remove an expired intermediate certificate from an Azure App Service
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 70%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
DavidG
10
Reputation points
Hello,
In our Azure App Services we have an intermediate certificate that has expired today and even though we have uploaded a new version of the certificate with the updated certificate chain 3 days ago and removed the one that included the exped certificate, it is still being served and causing issues for our clients.
However when checking with services like ssllabs, the expired is still showing, even though it also shows that there are 2!? certificate paths available.
Here is an example: https://www.ssllabs.com/ssltest/analyze.html?d=account.answerbase.com
You can see that the certificate SSL.com Root Certification Authority RSA has expired today the 11th of September, but you can also see under Certification paths, that there are two, both the old and new versions.
How can we force the removal/deletion of the old intermediate certificate so we're sure it's only the new correct one that is being served?
Any feedback is helpful.
Kind regards,
David
Azure App Service
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 59%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
SnehaAgrawal-MSFT 22,706 Reputation points Moderator2023-09-13T07:26:10.68+00:00 @DavidG Thanks for reaching here! If I am understanding right you are uploading a private certificate
If so, When you replace an expiring certificate, the way you update the certificate binding with the new certificate might adversely affect user experience. For example, your inbound IP address might change when you delete a binding, even if that binding is IP-based.
This result is especially impactful when you renew a certificate that's already in an IP-based binding.
To avoid a change in your app's IP address, and to avoid downtime for your app due to HTTPS errors, follow these steps in the specified sequence:
- Upload the new certificate.
- Go to the Custom domains page for your app, select the ... actions button, and select Update binding.
- Select the new certificate and select Update.
- Delete the existing certificate.
Please let us know, if issue remains.
-
DavidG 10 Reputation points
2023-09-13T08:02:20.2966667+00:00 Hello,
Thanks for answering. We did update the certificate the way you specified and the certificate is not IP based, but SNI.
In any case, would the issue you are referring to above allow two intermediate certificates to exist alongside each other, one of them being expired and still both being served intermittently as part of the certificate chain?
The clients we have that are experiencing the issue are experiencing it when accessing our web based api, sending a request to a https url.
Regards,
David
-
SnehaAgrawal-MSFT 22,706 Reputation points Moderator
2023-09-14T08:02:41.82+00:00 @DavidG From my understanding, you have already uploaded a new certificate.
As of the current DNS settings, the URL answerbase.com resolves to the IP address 13.71.194.193. However, the it seems your azure web app is configured to listen on a different IP address. Depending on where the current DNS points, you may encounter varying behavior.
If the DNS points to an Azure web app endpoint that is not correctly configured, you will receive the default certificate instead of the one you've configured. Furthermore, if you proceed, you'll likely encounter a 404 error because the platform won't be able to locate the web app.
If so, Its recommended to update your DNS settings.
Refer to Configuring DNS for Azure Website
Also, just to confirm, have you completed the binding process as well? To secure a custom domain with the new certificate, you still need to create a certificate binding.
Please note that a "Secure" state in the Custom domains indicates that it is secured with a certificate. However, App Service doesn't perform checks on whether the certificate is self-signed or expired. Such issues can lead to browser errors or warnings. If your app is giving you certificate validation errors, it's possible that you're using a self-signed certificate.
Further you can verify this by opening various browsers and navigate to https://<your.custom.domain> to ensure that it correctly serves your app.
If issue remains suggest you to please reach out to us by sending an email with subject line “Attn:Sneha |thread title” to AzCommunity[at]microsoft[dot]com referencing this thread, would take closer look on this.
-
DavidG 10 Reputation points
2023-09-14T08:07:58.0566667+00:00 Yes, answerbase.com is on a different ip, and i posted a link to an example with account.answerbase.com which showed the issue.
As I mentioned it was not a problem with the leaf certificate, it was the intermediate certificate. From your response, I'm not sure you understood what the issue was, but in any case, MS support has finally today (3 days after the expiry of the intermediate certificate) told us that the issue is solved. I don't know how yet, nor how to prevent it in the future, so hopefully they'll get back on that.
Sign in to comment
Sign in to answer