Is it possible to have the same custom domain with Azure-managed certificate on both an app service and a Front Door endpoint?

Question

Is it possible to have the same custom domain with Azure-managed certificate on both an app service and a Front Door endpoint?

James Munro 45

I have an app service with a custom domain and an Azure managed certificate, which has worked fine for years. Recently I added a Front Door profile and of course added the same custom domain to that, with a certificate created by Azure Front Door.

In this process the DNS records for the domain were updated so that the A record is now an ALIAS to the AFD resource, and the CNAME for www points to the AFD endpoint.

However, recently Azure reported this error on the app service:

Auto-Renewal Failed... for Apex domain we must have the A record mapped to the webapp IP. For subdomain, we must have CNAME mapped to the webapp name.

This seems to imply that once Front Door is deployed, the web app itself can no longer have a custom domain. But there is advice from MS online that you should "Preserve the original HTTP host name between a reverse proxy and its back-end web application".

MS also states that "For HTTPS connections, Azure Front Door expects that your origin presents a certificate from a valid certificate authority (CA) with a subject name matching the origin hostname."

So I am confused about how to do this. (Maybe I have misunderstood.)

Can I have a custom domain with an Azure managed certificate on both AFD and the app service? If not, how do I meet the best practice on ensuring the original HTTP host name requested by the user also matches the app service host name?

James Munro 45 Reputation points

2025-04-08T08:41:55.7533333+00:00
Dear Ganesh, thank you for this very clear and logical advice. I really appreciate it.

As you say, we wish to have a custom domain cert both at the AFD endpoint, and on the app service itself, to ensure end-to-end TLS between the user and the application. But as I understand it, this means the app service cert cannot be managed by Azure. This is very surprising to me (if I have understood correctly) because:

you might imagine that the auto-renew validation could be based on the TXT asuid record, not the A or CNAME record

and the implication is that pretty much all users of AFD (since everyone would want a secure custom domain with end to end TLS) must provision their own certificates for their app services - something which I have not seen stated clearly in any of the extensive documentation I have read

I am wondering if there are any other options or workarounds for this situation since it seems extraordinary to me that everyone using AFD finds themselves in this situation. Perhaps while cert auto-renew fails for an apex domain, it might not fail for a subdomain? That would be at least some help.
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-04-08T09:03:41.67+00:00

Hello James Munro

Thanks for the reply!

To understand better about your issue lets connect offline, please see private message for more details.
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-04-08T10:07:53.2533333+00:00
Hello James Munro

Thanks for the reply!

You are correct, by ensuring end-to-end TLS with Azure Front Door (AFD) and an App Service using a custom domain certificate does introduce some complexities. Azure-managed certificates are typically limited to domains validated via CNAME records, which can be problematic for apex domains.

Instead of relying on Azure-managed certificates, you can store and manage your custom domain certificates in Azure Key Vault. This allows you to automate renewal and retrieval while maintaining full control over the certificate lifecycle. While auto-renewal fails for apex domains due to DNS validation limitations, it might work for a subdomain (e.g., app.example.com instead of example.com). This is because Azure can validate ownership via CNAME records.

Refer: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=subdomain%2Crbac%2Cazure-cli#create-a-free-managed-certificate

Apex Domain:

Subdomain:

Important Note:

Azure validates domain ownership using a CNAME record pointing to Azure.

If you're using an A record instead of a CNAME, renewal will fail because Azure does not support A records for validation.

Azure does not currently support TXT-based validation for auto-renewal.

Workarounds for Apex Domains: - Use a subdomain (e.g., app.example.com) instead of an apex domain. - Consider using Azure Key Vault to store and manage certificates manually.

If you wish you may upvote the feedback in the below forum requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Feedback link: https://feedback.azure.com/d365community

If above is unclear and/or you are unsure about something add a comment below.

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Accepted answer

0 additional answers

Your answer

James Munro 45 Reputation points

2025-04-08T08:41:55.7533333+00:00

Dear Ganesh, thank you for this very clear and logical advice. I really appreciate it.

As you say, we wish to have a custom domain cert both at the AFD endpoint, and on the app service itself, to ensure end-to-end TLS between the user and the application. But as I understand it, this means the app service cert cannot be managed by Azure. This is very surprising to me (if I have understood correctly) because:

you might imagine that the auto-renew validation could be based on the TXT asuid record, not the A or CNAME record

and the implication is that pretty much all users of AFD (since everyone would want a secure custom domain with end to end TLS) must provision their own certificates for their app services - something which I have not seen stated clearly in any of the extensive documentation I have read

I am wondering if there are any other options or workarounds for this situation since it seems extraordinary to me that everyone using AFD finds themselves in this situation. Perhaps while cert auto-renew fails for an apex domain, it might not fail for a subdomain? That would be at least some help.
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-04-08T09:03:41.67+00:00

Hello James Munro

Thanks for the reply!

To understand better about your issue lets connect offline, please see private message for more details.

Answer 1

Hello James Munro

Azure Front Door (AFD) and Azure App Service can both use Azure-managed certificates for custom domains. However, when AFD is introduced, it becomes the primary endpoint for your custom domain. This means:

The DNS records (A and CNAME) are updated to point to AFD.
The App Service custom domain binding may no longer work as expected because the DNS no longer points directly to the App Service.
The error you encountered, "Auto-Renewal Failed," occurs because Azure App Service requires the A record (for apex domains) or CNAME (for subdomains) to point directly to the App Service for the managed certificate to renew. When the DNS points to AFD instead, this requirement is not met.

To meet the best practice of preserving the original HTTP host name between AFD and the App Service:

Configure AFD to forward the original host name in the Host header to the App Service. This ensures that the App Service sees the original custom domain in requests.
Ensure that the App Service has a valid TLS certificate for the custom domain. Since the Azure-managed certificate cannot auto-renew in this setup, you may need to use a custom certificate (e.g., from a third-party CA) and manually upload it to the App Service.

Refer: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain

Refer: https://learn.microsoft.com/en-us/azure/app-service/tutorial-secure-domain-certificate

If above is unclear and/or you are unsure about something add a comment below.

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

James Munro 45 Reputation points

2025-04-09T09:25:15.7033333+00:00

The answer from Ganesh helped me towards a solution. But there is one thing I did differently.

In my situation I have a fairly simple setup: one Front Door endpoint (with multiple custom domains) maps to one app service (with multiple custom domains). It turns out that once Front Door is in place, the app service custom domains no longer need certificate bindings. Their purpose is only to enable correct routing from Front Door to the app.

I removed the certificate bindings from the app service custom domains and everything still works, as far as I can see. I believe that requests from Front Door to the app service are still being secured against the default domain (xxx.azurewebsites.net) using the default certificate, so we still have end to end TLS. This is consistent with comments from Marcus on the responses to this post.

I suspect that my experience (starting from an established app service and adding Front Door later) may be a common one, and it would be good if the MS documentation made clear that once Front Door is set up and working, the app service certificates can be removed to avoid problems down the line.

Share via

Is it possible to have the same custom domain with Azure-managed certificate on both an app service and a Front Door endpoint?

0 additional answers

Your answer