Problem with App Service Managed Certificates on custom domain

David Pelletier 0 Reputation points

The app service managed certificates for our custom domain didn't renew automatically, but according to this documentation it should have been:

We use a application gateway with a WAF as our frontfacing endpoint with a let's encrypt certificate (that we renew automatically with a automation script and this part is working perfectly), the application gateway have a single backend pool, our azure web ap.

We decided to use the app service managed certificate for the custom domain, we registered a custom domain using Azure DNS a created the CNAME record in our DNS zone as pointing to, but sadly the certificates expired after 6 month and didn't create a new one letting our app not accessible because the application gateway was not allowing request to the web app because of the expired certificates. Is it normal that the app service managed certificates for the custom domain didn't renew itself automatically, is the documentation wrong ?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,090 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Grmacjon-MSFT 13,041 Reputation points

    Hi @David Pelletier We are sorry to hear you're facing this issue. When did you get your managed certificates?

    Based on the docs: Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew or rekey process. The new certificate order remains in "pending issuance" mode during the renew or rekey process until you complete the domain verification.

    Unlike the free App Service managed certificate, domain re-verification for App Service certificates isn't automated. Failure to verify domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review Confirm domain ownership.

    The renewal process requires that the well-known service principal for App Service has the required permissions on your key vault. These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permissions from your key vault.

    Please let us know if you have further questions.


    0 comments No comments

  2. TP 55,551 Reputation points

    Hi David,

    The free app service managed certificate should've renewed automatically when it was within 45 days of expiration.

    If you haven't already, please navigate to your web app in the portal -- Diagnose and solve problems blade. Enter Managed Certificate in the search box on right and when it displays as a result click on it.

    qna app service diagnose managed cert1

    After several seconds delay you should see more information about renewal failures that occurred.

    qna app service diagnose managed cert2

    Please click Accept Answer and upvote if above was useful.



    0 comments No comments

  3. David Pelletier 0 Reputation points

    The problem was from my side because of misunderstanding the documentation.

    I configure to block all incoming traffic except traffic coming from our VNet, we required that the request go through the Azure WAF (through the Azure application gateway).

    When a configured the App Service Managed Certificates, it created a CNAME record in our Azure DNS zone, but this record was redirecting people to which in the end is the public IP address of the webapp (remind that all incoming traffic outside the VNet is block), so i deleted the CNAME record and created a A record pointing to the public IP address of our Azure Application Gateway, and everything work.

    I didn't understand that App Service Managed Certificates only work with CNAME record and not A record, so to fix our problem, we removed the HTTPS only on our webapp and allow HTTP traffic between the AG and our webapp