Creating App Service Managed Certificate before CNAME record

Steve Christy 45 Reputation points
2024-05-30T13:36:36.1066667+00:00

Hello,

I'm trying to create an Azure Web App to supersede an existing Azure Web App. I've created the necessary TXT record to validate the domain name in the new App Service, however I'm unable to create an App Service Managed Certificate for the TLS/SSL binding. The error message is: "Hostname not eligible for App Service Managed Certificates creation. Ensure that your domain XXXXXXX.com has an active CNAME record which is set to XXXXXX.azurewebsites.net."

Is there a way I can get the TLS/SSL binding before adding the CNAME record? That seems like a strange restriction requiring a brief period where my web app won't have an SSL cert.

Thank you!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,407 questions
0 comments No comments
{count} vote

Accepted answer
  1. Deepanshukatara-6769 8,060 Reputation points
    2024-05-30T13:50:31.6733333+00:00

    Hi Steve,

    No, you cannot get the TLS/SSL binding before adding the CNAME record. Azure's requirement for an active CNAME record is a security measure to ensure domain ownership before issuing SSL certificates. Without this verification step, Azure cannot guarantee the legitimacy of the domain, and therefore, SSL certificates cannot be provisioned.. This process helps prevent unauthorized individuals from obtaining SSL certificates for domains they don't own.

    However, if you need SSL for your web app immediately and cannot wait for the DNS changes to propagate, you have a few alternatives:

    1. Bring Your Own Certificate (BYOC): You can use a certificate purchased from a third-party Certificate Authority (CA) or issued by a service like Let's Encrypt, and then upload it to Azure App Service. This way, you can have SSL for your domain without waiting for the CNAME record verification. Keep in mind that you'll need to manage the certificate renewal process yourself.
    2. Wildcard SSL Certificate: If you're planning to use subdomains under your main domain, you might consider purchasing a wildcard SSL certificate that covers all subdomains (*.yourdomain.com). This can be uploaded to Azure App Service, providing SSL for your entire domain and any subdomains without needing individual certificates for each subdomain.
    3. Temporary SSL Solution: As a temporary solution, you could use a self-signed SSL certificate or a free certificate from services like Let's Encrypt for the transition period until the App Service Managed Certificate is issued. While not ideal for production use, it can provide SSL protection during the DNS propagation period.

    Please check this doc for ref https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex

    Kindly accept answer if it helps

    Thanks

    Deepanshu


2 additional answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more