Issue with managed certificate creation for azure container app

Question

Issue with managed certificate creation for azure container app

matt 0

i am trying to create a managed certificate for an azure container app. i can provision the custom domain, but then the certificate creation fails with the following:

[
  {
    "id": "/subscriptions/60a61476-bd26-4cc2-a7b2-549cafbad00a/resourceGroups/zach-gtn-resource-group-dev/providers/Microsoft.App/managedEnvironments/zach-gtn-container-app-env-dev/managedCertificates/mc-zach-gtn-resou-engines-zach-nod-9999",
    "location": "East US 2",
    "name": "mc-zach-gtn-resou-engines-zach-nod-9999",
    "properties": {
      "domainControlValidation": "CNAME",
      "error": "",
      "provisioningState": "Failed",
      "subjectName": "engines-zach.nodes.griptape.ai",
      "validationMethod": "CNAME"
    },
    "resourceGroup": "zach-gtn-resource-group-dev",
    "systemData": {
      "createdAt": "2025-06-02T22:50:56.3535331",
      "createdBy": "8fc60882-7c87-4df4-8695-37d41805907b",
      "createdByType": "Application",
      "lastModifiedAt": "2025-06-02T22:50:56.3535331",
      "lastModifiedBy": "8fc60882-7c87-4df4-8695-37d41805907b",
      "lastModifiedByType": "Application"
    },
    "type": "Microsoft.App/managedEnvironments/managedCertificates"
  }
]

there is no error details at all. how can i find more details about the error? the activity logs also have no details

Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2025-06-03T04:04:52.3666667+00:00

Hi mattHave you tried following the below reference? Please see, if all the pre-requisites are met as indicated

Add a custom domain and managed certificate

Hope this helps.

--please don't forget to upvote and Accept as answer if the reply is helpful--
matt 0 Reputation points

2025-06-04T01:53:14.5166667+00:00

yes, all of these requirements are met. i tried adding this same domain to an existing container app that has an active certificate binding, and it failed in the same way.
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2025-06-05T08:36:26.2533333+00:00

So looks like something related to the domain/hosting
Gaurav Kumar 695 Reputation points Microsoft External Staff Moderator

2025-06-13T09:14:13.6266667+00:00

Hi matt,

We haven't heard any response from you and if you are still facing any issues, please click on comment. If the answer was helpful, please click on Accept answer and upvote it.
Gaurav Kumar 695 Reputation points Microsoft External Staff Moderator

2025-06-17T05:18:35.5233333+00:00

Hi matt,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2025-06-03T04:04:52.3666667+00:00

Hi mattHave you tried following the below reference? Please see, if all the pre-requisites are met as indicated

Add a custom domain and managed certificate

Hope this helps.

--please don't forget to upvote and Accept as answer if the reply is helpful--
matt 0 Reputation points

2025-06-04T01:53:14.5166667+00:00

yes, all of these requirements are met. i tried adding this same domain to an existing container app that has an active certificate binding, and it failed in the same way.
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2025-06-05T08:36:26.2533333+00:00

So looks like something related to the domain/hosting
Gaurav Kumar 695 Reputation points Microsoft External Staff Moderator

2025-06-13T09:14:13.6266667+00:00

Hi matt,

We haven't heard any response from you and if you are still facing any issues, please click on comment. If the answer was helpful, please click on Accept answer and upvote it.
Gaurav Kumar 695 Reputation points Microsoft External Staff Moderator

2025-06-17T05:18:35.5233333+00:00

Hi matt,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Hi matt,

You're able to provision a custom domain for your Azure Container App, but the managed certificate creation fails silently with provisioningState: "Failed" and no error message.

Please Confirm Before Troubleshooting:

CNAME Record Set Correctly:

Ensure custom domain (e.g., engines-zach.nodes.griptape.ai) has a CNAME record pointing to your container app's default FQDN (e.g., abc123.eastus2.azurecontainerapps.io).


dig CNAME engines-zach.nodes.griptape.ai

nslookup engines-zach.nodes.griptape.ai

DNS Propagation Completed

Wait at least 15–30 minutes after adding the CNAME to allow DNS propagation before creating the certificate..

Subdomain Format is Valid

Ensure you're using a subdomain, not a naked/apex domain (e.g., example.com). Azure-managed certificates require a subdomain + CNAME.

If the portal and activity logs don’t show error details, try the following:

Azure Resource Explorer

Browse to: https://resources.azure.com Path:

Subscriptions > {Your Subscription} > resourceGroups > {Your RG} > providers > Microsoft.App > managedEnvironments > {Env Name} > managedCertificates > {Cert Name}

You may find hidden provisioning error properties.

Enable Diagnostic Logs

Send logs to Log Analytics:

az monitor diagnostic-settings create --resource "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.App/managedEnvironments/<env>" --name certDiag  --workspace <log-analytics-workspace-id> --logs '[{"category": "AppSystemLogs","enabled": true}]'

Query logs:


AppSystemLogs

| where Message has "certificate" or Message has "custom domain"

| sort by TimeGenerated desc

Use Azure CLI with Debug Output

az containerapp managed-certificate create --resource-group zach-gtn-resource-group-dev --environment zach-gtn-container-app-env-dev --domain-name engines-zach.nodes.griptape.ai --name mc-zach-gtn-resou-engines-zach-nod-9999 --debug

Try a Different Subdomain: E.g., test-zach.nodes.griptape.ai to rule out caching or stale DNS records.

Wait for DNS TTLs: If a previous CNAME was incorrect or missing, Azure may cache the invalid state.

Known Limitations

Managed certificates only work with CNAME-validated subdomains, not apex domains
DNS propagation issues are a common cause of silent failures.

Try the below workaround to fix the issue:

Bring Your Own Certificate (BYOC)

If managed cert provisioning continues to fail:

Use Let’s Encrypt or a commercial CA to generate a certificate.

Upload the .pfx using:


az containerapp ssl upload --resource-group <rg> --environment <env> --certificate-file cert.pfx --certificate-password <password> --name <cert-name>

For more details, please refer the following documentation:Custom domains & certificates(BYOC), Managed Certificates in Azure Container apps

By following the above steps, you should be able to identify the root cause of the failed managed certificate creation and take necessary actions to resolve the issue.

Hope this helps.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Gaurav Kumar 695 Reputation points Microsoft External Staff Moderator

2025-06-12T09:50:51.5766667+00:00

If this answer was helpful, please click "Accept the answer" and mark Yes, as this can help other community members.
Gaurav Kumar 695 Reputation points Microsoft External Staff Moderator

2025-06-13T09:14:21.4233333+00:00

Hi matt,

We haven't heard any response from you and if you are still facing any issues, please click on comment. If the answer was helpful, please click on Accept answer and upvote it.
Gaurav Kumar 695 Reputation points Microsoft External Staff Moderator

2025-06-17T05:18:52.0366667+00:00

Hi matt,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Share via

Issue with managed certificate creation for azure container app

1 answer

Your answer