Hello, I'm trying to create an Azure Web App to supersede an existing Azure Web App. I've created the necessary TXT record to validate the domain name in the new App Service, however I'm unable to create an App Service Managed Certificate for the TLS/SSL binding. The error message is: "Hostname not eligible for App Service Managed Certificates creation. Ensure that your domain XXXXXXX.com has an active CNAME record which is set to XXXXXX.azurewebsites.net." Is there a way I can get the TLS/SSL binding before adding the CNAME record? That seems like a strange restriction requiring a brief period where my web app won't have an SSL cert. Thank you!

Hi Steve, No, you cannot get the TLS/SSL binding before adding the CNAME record. Azure's requirement for an active CNAME record is a security measure to ensure domain ownership before issuing SSL certificates. Without this verification step, Azure cannot guarantee the legitimacy of the domain, and therefore, SSL certificates cannot be provisioned.. This process helps prevent unauthorized individuals from obtaining SSL certificates for domains they don't own. However, if you need SSL for your web app immediately and cannot wait for the DNS changes to propagate, you have a few alternatives: Bring Your Own Certificate (BYOC) : You can use a certificate purchased from a third-party Certificate Authority (CA) or issued by a service like Let's Encrypt, and then upload it to Azure App Service. This way, you can have SSL for your domain without waiting for the CNAME record verification. Keep in mind that you'll need to manage the certificate renewal process yourself. Wildcard SSL Certificate : If you're planning to use subdomains under your main domain, you might consider purchasing a wildcard SSL certificate that covers all subdomains (*.yourdomain.com). This can be uploaded to Azure App Service, providing SSL for your entire domain and any subdomains without needing individual certificates for each subdomain. Temporary SSL Solution : As a temporary solution, you could use a self-signed SSL certificate or a free certificate from services like Let's Encrypt for the transition period until the App Service Managed Certificate is issued. While not ideal for production use, it can provide SSL protection during the DNS propagation period. Please check this doc for ref https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex Kindly accept answer if it helps Thanks Deepanshu

Creating App Service Managed Certificate before CNAME record

Accepted answer

Deepanshukatara-6769 8,060 Reputation points

2024-05-30T13:50:31.6733333+00:00
Hi Steve,

No, you cannot get the TLS/SSL binding before adding the CNAME record. Azure's requirement for an active CNAME record is a security measure to ensure domain ownership before issuing SSL certificates. Without this verification step, Azure cannot guarantee the legitimacy of the domain, and therefore, SSL certificates cannot be provisioned.. This process helps prevent unauthorized individuals from obtaining SSL certificates for domains they don't own.

However, if you need SSL for your web app immediately and cannot wait for the DNS changes to propagate, you have a few alternatives:

Bring Your Own Certificate (BYOC): You can use a certificate purchased from a third-party Certificate Authority (CA) or issued by a service like Let's Encrypt, and then upload it to Azure App Service. This way, you can have SSL for your domain without waiting for the CNAME record verification. Keep in mind that you'll need to manage the certificate renewal process yourself.

Wildcard SSL Certificate: If you're planning to use subdomains under your main domain, you might consider purchasing a wildcard SSL certificate that covers all subdomains (*.yourdomain.com). This can be uploaded to Azure App Service, providing SSL for your entire domain and any subdomains without needing individual certificates for each subdomain.

Temporary SSL Solution: As a temporary solution, you could use a self-signed SSL certificate or a free certificate from services like Let's Encrypt for the transition period until the App Service Managed Certificate is issued. While not ideal for production use, it can provide SSL protection during the DNS propagation period.

Please check this doc for ref https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex

Kindly accept answer if it helps

Thanks

Deepanshu
Please sign in to rate this answer.
Steve Christy 45 Reputation points

2024-05-30T13:57:40.9766667+00:00

Thank you for the response. I thought domain ownership could be proven with that TXT record but if that's not the case I suppose I will have to look into other options as you suggest.

Deepanshukatara-6769 8,060 Reputation points

2024-05-30T14:27:27.5066667+00:00

Yes actually The TXT record is a domain verification ID that helps avoid subdomain takeovers from other App Service apps l
Sign in to comment

Share via

Creating App Service Managed Certificate before CNAME record

2 additional answers