Share via

Custom subdomain HTTPS failed creation of Azure App Service Managed Certificate

Istvan Molnar 40 Reputation points
2024-07-18T12:56:50.93+00:00

Summary

I am trying to register a custom domain for an Azure App Service app. Registration of the domain was successful and the app is available as HTTP. image

I am unable to create any certificate for my domain on Azure, I am not even sure, which direction to look for the solution.

Screenshot 2024-07-23 140931

Validation succeeds (I added the required CN and TXT), Adding fails.

Error:

"Create App Service Managed Certificate and configure SSL binding Failed to create App Service Managed Certificate for chat.easeme.eu due to error: Pending managed certificate failed: Certificate creation was rejected by CA for canonical name chat.easeme.eu: If retrying does not help, please contact support for assistance."

Is it possible that the issue is due to my incorrect Vercel Settings? I am on Hobby plan and got the following certs. on Vercel already: "*.easeme.eu, easeme.eu"

Thanks a lot! Istvan

Steps to Reproduce

  • Have a Vercel-hosted hobby project with a custom domain (3rd-party-purchase) registered (e.g. easeme.eu)
  • A running Azure App Service app
  • Add binding to Custom Domain
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,806 questions
Accepted answer
  1. Grmacjon-MSFT 18,216 Reputation points
    2024-07-18T21:48:54.3166667+00:00

    @Istvan Molnar thanks for bringing this to our attention. I am not able to click the images you sent. Can you please resend them?Based on the error message you shared this looks like an issue with the certificate and not necessarily the Vercel settings.

    Here are a few things to consider....

    • Azure App Service uses DigiCert for issuing free managed certificates. Some organizations might have a Certificate Authority Authorization (CAA) record configured on their domain, specifying which certificate authorities are allowed to issue certificates for that domain. To troubleshoot the issue please verify if your domain (easeme.eu) has a CAA record set. If it does, ensure it allows DigiCert to issue certificates for your specific subdomain (chat.easeme.eu). You can check CAA records using online tools. If the CAA record restricts DigiCert, you'll need to modify it to allow issuance or consider using a different certificate from Vercel
    • Also make sure the TXT record you added for domain validation has fully propagated across the internet. This can take up to 72 hours in some cases. Retry creating the certificate after waiting for propagation to complete.

    -Grace

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.