![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 86%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,933 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 36%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Hi @Martin Jørgensen ,
welcome to the Microsoft Q&A Platform!
When using Azure Web Apps with "IP-based SSL" binding, you may encounter hostname validation errors because Azure requires the hostname in the certificate to match the Web App’s hostname, even for IP-based SSL. This is due to the platform's adherence to SSL/TLS security standards, where hostname validation is enforced to prevent security risks from mismatched certificates.
some workarounds to help you proceed with IP-based SSL:
Workarounds for IP-Based SSL Certificate Issues in Azure Web Apps
Generate a New Certificate with the Correct Hostname
- If possible, generate a new SSL certificate that includes the exact Web App hostname (e.g.,
sub.domain.com) in the Common Name (CN) or Subject Alternative Name (SAN) field. This ensures compatibility with Azure's hostname validation.
Use a Wildcard Certificate
- Wildcard certificates (e.g.,
*.domain.com) cover all subdomains under a primary domain, which can help bypass hostname restrictions. If your setup allows, replace your current certificate with a wildcard certificate, which Azure will accept across subdomains.
Implement SSL Offloading with Azure Application Gateway
- Azure Application Gateway supports SSL offloading, allowing you to upload the certificate here rather than directly to the Web App.
- By handling SSL termination at the Application Gateway level, this configuration bypasses the Web App’s hostname validation.
- The Web App can communicate via HTTP with the gateway, while the gateway provides the secure front-end connection.
Azure Key Vault Certificate Integration
- Upload the certificate to Azure Key Vault and link it to the Web App using Managed Identity. This offers centralized management and auto-rotation of certificates, which can be more efficient, though hostname validation is still required.
For references: - https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2CRBAC#binding-a-certificate
If the answer is helpful, please click "Accept Answer" and kindly upvote it.