ARM Deployment fails with Internal Server Error when creating a managed app service ceriticate

Matt H 26 Reputation points

I have an ARM template deployment that is trying to create a managed app service certificate for TLS. It repeatedly fails with an internal server error. I have viewed hidden resources and there is no existing certificate.

I have based my template on those found at after finding it linked from this github issue:

I have looked at the API documentation for Microsoft.web/certificates and it seems like password is required, but I have tried supplying one and it still failed. No password is required when manually creating such a certificate through the Azure portal. I have also tried using various api versions.

The certificate snippet from my template is below:

"variables": {  
    "subDomainName": "[concat(parameters('websiteName'), '.', parameters('domainName'))]",  
    "certificateName": "[concat(parameters('websiteName'), '.', parameters('domainName'), '-', parameters('websiteName'))]"  
    "apiVersion": "2019-08-01",  
    "name": "[variables('certificateName')]",  
    "type": "Microsoft.Web/certificates",  
    "location": "[resourceGroup().location]",  
    "dependsOn": [  
      "[resourceId('Microsoft.Web/sites/hostNameBindings', parameters('websiteName'), variables('subDomainName'))]"  
     "properties": {  
       "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]",  
       "canonicalName": "[variables('subDomainName')]"  

The deployment specifically fails on the certificate resource deployment. An example error I have received is:

  "status": "Failed",  
  "error": {  
      "code": "ResourceDeploymentFailure",  
      "message": "Encountered internal server error. Diagnostic information: timestamp '20210122T182918Z', subscription id 'e476692c-951e-4341-8dea-efe0ed315289', tracking id '649ea872-9744-412f-8835-03847c2779b3', request correlation id '8f53bfef-64d3-43cf-8f3d-c443144601ae'."  
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,984 questions
{count} vote

Accepted answer
  1. Ryan Hill 26,156 Reputation points Microsoft Employee

    Hi @Matt H ,

    I'm glad we were able to get your issue resolved. Per our discussion, we discovered that the certificate binding to the host's name must be done via two templates instead of one because we cannot have two operations against the same type within an ARM template.

    After resolving that, we discovered a subsequent validation error was occurring due to your domain name containing upper case letters. Once you altered that, you were successfully able to issue an app service with a managed certificate via an ARM template.


    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Ryan Hill 26,156 Reputation points Microsoft Employee

    Hi @Matt H ,

    Managed certs do not support naked or wildcard domains. That being said, your canonicalName and dependsOn targets for your Microsoft.Web/certificates is only using your subDomainName variable. I think your error is coming from using only a piece of the domain e.g. blog.mysite where it should be set to


    EDIT: For now, the Password property on Certificates object is required. There is an SDK update coming forth that will address this. For now, though, as a workaround you can leave the Password property as an empty string. If you run into a separate issue, please let me know.