Enable multiple App Services in the same Resource Group to create App Service Managed Certificates

Jun Ye 21 Reputation points
2021-01-12T21:30:58.563+00:00

Use case scenario:

  • Under same Subscription
  • Under same Resource Group
  • Need to create two or more App Services in different regions, eg:
  • AppWestEurope
  • AppEastUs

Uses Traffic Manager to distribute load based on performance, so created a Traffic Manager Profile contoso.trafficmanager.net

Registered CNAME for app.contoso.com map to contoso.trafficmanager.net
Have traffic manager add both app services as endpoint

Currently if we add custom domain app.contoso.com to AppWestEurope, it's possible to get an App Service Managed Certificate for AppWestEurope and bind it to the custom domain.

However, for the second app service AppEastUs, you won't be able to request the App Service Managed Certificate for same domain app.contoso.com

As the first step created an object type microsoft.web/certificates with name: app.contoso.com, the second step will fail as it will also try to create microsoft.web/certificates with same name: app.contoso.com in the same Resource Group

Suggetion:
Create a new object with name: AppServiceName-DomainName, such as:
AppWestEurope-app.contoso.com
AppEastUs-app.contoso.com

This would allow the two certificates co-exist in the same Resource Group with the same Subject Alternative Name

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,000 questions
{count} votes

2 answers

Sort by: Most helpful
  1. SnehaAgrawal-MSFT 21,926 Reputation points
    2021-01-14T16:49:21.367+00:00

    Thanks for the question! If understanding is correct the request is to use a different cert name for each managed cert. If so, the best approach right now is to use the following PS script to provide a custom cert name to a managed cert.

    With the upcoming portal deployment, portal will be using a unique name for cert name that should help you accomplish the same.

    $location = "West Europe"
    $ResourceGroupName = "myRG"
    $AppServicePlanName = "myASP"
    $appName = "mywebapp"
    $domainName = "www.xyz.com"

    $asp = Get-AzResource -Name $AppServicePlanName -ResourceGroupName $ResourceGroupName
    -ResourceType "Microsoft.Web/serverfarms"
    $AppServicePlanId = $asp.ResourceId

    $PropertiesObject = @{
    canonicalName = $domainName
    serverFarmId = $AppServicePlanId
    }

    New-AzResource -Name $domainName -Location $location -PropertyObject $PropertiesObject
    -ResourceGroupName $ResourceGroupName -ResourceType Microsoft.Web/certificates
    -Force

    $freeCert = Get-AzResource -ResourceName $domainName -ResourceGroupName $ResourceGroupName
    -ResourceType Microsoft.Web/certificates `

    $freeCert

    $freeCert.Properties.thumbprint

    $PropertiesObject = @{
    SslState = "SniEnabled"
    thumbprint = $freeCert.Properties.thumbprint
    }

    $certName = $appName + '/' + $domainName

    New-AzResource -Name $certName -Location $location -PropertyObject $PropertiesObject
    -ResourceGroupName $ResourceGroupName -ResourceType Microsoft.Web/sites/hostnameBindings
    -Force

    Please let us know if this helps.

    0 comments No comments

  2. Jun Ye 21 Reputation points
    2021-01-18T19:21:27.227+00:00

    @SnehaAgrawal-MSFT

    I'm aware of that script. The script itself have some timing issue that need be fixed, as the cert isn't immediately available right after New-AzResource. This timing issue will cause consequent Get-AzResource to fail, as it's not able to find the certificate right away.

    My point is in Azure Portal, when you are creating these App Service Managed Certificates, it should not cause an conflict, when you have multiple App Service in the same Resource Group using the same custom domain name.

    The backend process taken by the portal should name these certificate objects uniquely, rather than just using the custom domain name as name of the certificates, which causes a conflict.

    If this is been fixed in Azure Portal, then there's no reason you should depends on a custom scrip.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.