Share via

Azure App Service SSL Certificate Binds to Sub domain (www.mydomain.com) but not to my root domain (mydomain.com)

Md Shervin 5 Reputation points
2025-03-18T12:30:29.8066667+00:00

I currently have added the CNAME, A records and the TXT records for both my root and subdomains. Both domains have been successfully added to my Azure App service, However I have an issue binding the relevant SSL certificates.

For subdomain (www.mydomain.com) the SSL certificate Binds successfully, but for my root domain it does not (mydomain.com). I also get this error

Failed to create App Service Managed Certificate for mydomain.com due to error

SSL Issue

Please note that both domains have the same name. What should i do here? Any advice?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,930 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bhargavi Naragani 5,270 Reputation points Microsoft External Staff Moderator
    2025-03-19T17:21:32.4766667+00:00

    Hi @Md Shervin,

    It seems like you're facing an issue where the SSL certificate is successfully binds to your subdomain (www.mydomain.com) but not to your root domain (mydomain.com). This is a typical issue when working with Azure App Service Managed Certificates since they only allow CNAME-based domains. Azure's App Service Managed Certificate needs a CNAME record, but root (apex) domains usually have an A record (referring to an IP address) rather than a CNAME. Because the root domain isn't configured with a CNAME that references the App Service, Azure doesn't create an SSL certificate for it.

    Because Azure App Service Managed Certificates don't apply to root domains with A records, it's best to buy an SSL certificate from a third-party vendor (such as GoDaddy, DigiCert, or Let's Encrypt) and bind it to the root domain manually in Azure.

    Steps to fix Using Third-Party SSL: Buy an SSL certificate from a third party. Navigate to Azure App Service > TLS/SSL Settings. Import the PFX format of the certificate. Attach the certificate to your root domain and verify the binding.

    Alternative approach: A workaround to enable CNAME mapping for your root domain is to utilize Azure Front Door or Azure CDN, which are a reverse proxy and allow you to use a CNAME rather than an A record for the root domain. This way, you can use an App Service Managed Certificate.

    Steps to fix Using Azure Front Door: Implement Azure Front Door in the Azure portal. configure your root domain as a CNAME to Azure Front Door. Enable an App Service Managed Certificate for your domain. Bind the certificate via Front Door.

    Kindly refer to the below documentations for better understanding:
    https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#create-a-free-managed-ssl-certificate
    https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings
    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain

    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

    Let me know if you have any further Queries.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.