Timeout creating new app service managed certificate

Question

Timeout creating new app service managed certificate

Derek Chan 6

I am trying to create a new managed certificate. I have created hundreds of these before and they are all renewing without a problem.

The domain name validates fine, but adding it eventually times out with this error:

Add App Service Managed Certificate

Error adding managed certificate: Pending managed certificate failed: Request Time-out Refer to the documentations for more info: https://go.microsoft.com/fwlink/?linkid=2158627.

I have checked all requirements for creating app service certificates
I have checked and run all validation scripts to ensure it passes the new requirements from 28 July 2025
i have attempted to create using "az webapp config ssl create ... ". This returns "Managed Certificate creation in progress. Please use the command 'az webapp config ssl show ...' to view your certificate once it is created" - but the certificate is never created

raklo 0 Reputation points

2025-08-29T17:19:06.22+00:00

any progress on that and working solution? I have same issue. Yesterday I could create managed certificates today got timeouts. I have public domain accessible directly (no TM/CDN/WAF) and I see token in .well-known/pki-validation/fileauth.txt.
Jonas Aebersold 1 Reputation point

2025-09-01T07:32:09.1633333+00:00

Hi

We are facing the same issue. I created a support issue in the Azure Portal last week but no solution so far. We use Powershell and Azure Automation but we also have the problem, when we run the script from our local machine.

We use New-AzWebAppCertificate (https://learn.microsoft.com/en-us/powershell/module/az.websites/new-azwebappcertificate) and we have the same problem like you with azure cli.
TP 150.9K Reputation points Volunteer Moderator

2025-09-01T08:41:42.2966667+00:00

@Jonas Aebersold @raklo Does it work if you do things in slow, step-by-step manner, using portal? What I mean is:

1. Add custom domain (without adding certificate) and verify it is active using command similar to:

curl -k https://www.yourcustomdomain.com

You know SNI is working when above returns expected content from your app/site and not 404

2. Add managed certificate, without adding binding. Wait for it to (hopefully) complete. While waiting, verify that domain validation token is created and available using command similar to below:

curl -k https://www.yourcustomdomain.com/.well-known/pki-validation/fileauth.txt

Within seconds of starting add certificate process the token should be returned. You may need to run the command every few seconds until token appears. Token starts with underscore followed by series of random letters and numbers, similar to below:

_xy7s394a4cd22wv22rxun63k3qnme2j

If token never appears you know there is an issue.

If things are working properly, the certificate should issue within 10-15 minutes, often within 4 minutes in my experience. If it is taking longer than 15 minutes I doubt it will issue.

3. If managed certificate is issued successfully, add binding and test site again, this time without -k:

curl https://www.yourcustomdomain.com

You know site is working when above returns expected content from your app/site without error.If it works reliably completing one step at a time you could apply same strategy to your scripting.
Jonas Aebersold 1 Reputation point

2025-09-01T09:28:01.4333333+00:00
In my case it's like that step-by-step:

Is working (It's a Cname, like https://yourcustomsubdomain.yourcustomdomain.com)

Fails. In the support issue we tried if the certificate has another name than the hostname, because somebody told that could be the problem. We tried to add the Managed Certificate last Monday (a week ago) and if we try to run New-AzWebAppCertificate it fails and if we try to check if the certificate already exists or not, we use Get-AzResource, and this command is still in state "Running". There are Operations in the "Activity Log" of the Resource Group which are in state running for a week.
TP 150.9K Reputation points Volunteer Moderator

2025-09-01T14:12:08.4433333+00:00

@Jonas Aebersold Did the domain validation token successfully show up?
Jonas Aebersold 1 Reputation point

2025-09-02T08:47:39.0166667+00:00

We use scripts, so there is nothing showing up. But if I try to add the Managed Certificate in the Azure Portal, than I have the same Issue - the operation from the script is blocking all other retries. If I try to add another Custom Domain with Managed Certificate with the Azure Portal, it works. But the domain from the script is still blocked. For me it looks like the Powershell and Azure CLI commands causing a problem in the "backend" of azure and all retries fail as well. We use the newest version of Powershell Az available in Azure Automation.
TP 150.9K Reputation points Volunteer Moderator

2025-09-02T09:00:58.7733333+00:00

@Jonas Aebersold That's part of what I'm getting at. Depending on how you are using the PowerShell commands and which options, it can start in motion multiple steps basically at the same time, and there was a suggestion that this is causing an issue.

Hence why I'm suggesting to break apart the individual steps, verify each is successful before proceeding to the next. If you have success with this technique, you can modify the scripts so they are no longer doing more than one thing in single command. I can assist with this if needed.

Another potential option is to essentially wait and do nothing, and assume that eventually Microsoft will solve the underlying issue and at that point your scripts will work. Or you could switch over to using free Let's Encrypt or purchased certificates, but then you have to have more scripts.

If you want assistance with your specific situation please ask a separate question.
Jonas Aebersold 1 Reputation point

2025-09-02T14:26:26.4833333+00:00
I'm not sure, if I understand your answer. We add the DNS record and than we call "New-AzWebAppCertificat". So you say we need to add a check between, if the DNS record is deployed. We can add this check for the future, but our current web-app is blocked for a week now... Which is a show-stopper for us.

This is the snipped of our current implementation. It's just:

Check if certificate exists

If certificate not exists, create a new certificate

Check if binding exists

If binding not exists, create a new binding

Wrapped with a simple retry-logic. The DNS records is deployed a week ago. But "New-AzWebAppCertificat" still fails with the error: The creation of the managed certificate 'xxx' is taking longer than expected. Please re-try the operation 'New-AzWebAppCertificate. The re-try is not helping.

We use Azure Automation and there can be more than one Job in parallel. It would be bad, if multiple calls in the same time for different domains should be a problem. Multiple calls for at the same time for the same domain should not be the case.
TP 150.9K Reputation points Volunteer Moderator

2025-09-03T13:09:14.0366667+00:00

@Jonas Aebersold New-AzWebAppCertificate performs multiple steps. I'm suggesting you instead break things out and do one step at a time. If you want to work through details create a new question.
Endi Zhupani 0 Reputation points

2026-02-24T16:20:02.0666667+00:00

In our case this didn't actually indicate a failed operation. It was just taking too long for the az webapp config ssl create ... command. When using the show command as recommended by the output message, We were able to get the certificate after a few retries. So the operation seems to have continued in the background

3 answers

Your answer

raklo 0 Reputation points

2025-08-29T17:19:06.22+00:00

any progress on that and working solution? I have same issue. Yesterday I could create managed certificates today got timeouts. I have public domain accessible directly (no TM/CDN/WAF) and I see token in .well-known/pki-validation/fileauth.txt.
Jonas Aebersold 1 Reputation point

2025-09-01T07:32:09.1633333+00:00

Hi

We are facing the same issue. I created a support issue in the Azure Portal last week but no solution so far. We use Powershell and Azure Automation but we also have the problem, when we run the script from our local machine.

We use New-AzWebAppCertificate (https://learn.microsoft.com/en-us/powershell/module/az.websites/new-azwebappcertificate) and we have the same problem like you with azure cli.
TP 150.9K Reputation points Volunteer Moderator

2025-09-01T08:41:42.2966667+00:00

@Jonas Aebersold @raklo Does it work if you do things in slow, step-by-step manner, using portal? What I mean is:

1. Add custom domain (without adding certificate) and verify it is active using command similar to:

curl -k https://www.yourcustomdomain.com

You know SNI is working when above returns expected content from your app/site and not 404

2. Add managed certificate, without adding binding. Wait for it to (hopefully) complete. While waiting, verify that domain validation token is created and available using command similar to below:

curl -k https://www.yourcustomdomain.com/.well-known/pki-validation/fileauth.txt

Within seconds of starting add certificate process the token should be returned. You may need to run the command every few seconds until token appears. Token starts with underscore followed by series of random letters and numbers, similar to below:

_xy7s394a4cd22wv22rxun63k3qnme2j

If token never appears you know there is an issue.

If things are working properly, the certificate should issue within 10-15 minutes, often within 4 minutes in my experience. If it is taking longer than 15 minutes I doubt it will issue.

3. If managed certificate is issued successfully, add binding and test site again, this time without -k:

curl https://www.yourcustomdomain.com

You know site is working when above returns expected content from your app/site without error.If it works reliably completing one step at a time you could apply same strategy to your scripting.
Jonas Aebersold 1 Reputation point

2025-09-01T09:28:01.4333333+00:00

In my case it's like that step-by-step:

Is working (It's a Cname, like https://yourcustomsubdomain.yourcustomdomain.com)

Fails. In the support issue we tried if the certificate has another name than the hostname, because somebody told that could be the problem. We tried to add the Managed Certificate last Monday (a week ago) and if we try to run New-AzWebAppCertificate it fails and if we try to check if the certificate already exists or not, we use Get-AzResource, and this command is still in state "Running". There are Operations in the "Activity Log" of the Resource Group which are in state running for a week.
TP 150.9K Reputation points Volunteer Moderator

2025-09-01T14:12:08.4433333+00:00

@Jonas Aebersold Did the domain validation token successfully show up?
Jonas Aebersold 1 Reputation point

2025-09-02T08:47:39.0166667+00:00

We use scripts, so there is nothing showing up. But if I try to add the Managed Certificate in the Azure Portal, than I have the same Issue - the operation from the script is blocking all other retries. If I try to add another Custom Domain with Managed Certificate with the Azure Portal, it works. But the domain from the script is still blocked. For me it looks like the Powershell and Azure CLI commands causing a problem in the "backend" of azure and all retries fail as well. We use the newest version of Powershell Az available in Azure Automation.
TP 150.9K Reputation points Volunteer Moderator

2025-09-02T09:00:58.7733333+00:00

@Jonas Aebersold That's part of what I'm getting at. Depending on how you are using the PowerShell commands and which options, it can start in motion multiple steps basically at the same time, and there was a suggestion that this is causing an issue.

Hence why I'm suggesting to break apart the individual steps, verify each is successful before proceeding to the next. If you have success with this technique, you can modify the scripts so they are no longer doing more than one thing in single command. I can assist with this if needed.

Another potential option is to essentially wait and do nothing, and assume that eventually Microsoft will solve the underlying issue and at that point your scripts will work. Or you could switch over to using free Let's Encrypt or purchased certificates, but then you have to have more scripts.

If you want assistance with your specific situation please ask a separate question.
Jonas Aebersold 1 Reputation point

2025-09-02T14:26:26.4833333+00:00

I'm not sure, if I understand your answer. We add the DNS record and than we call "New-AzWebAppCertificat". So you say we need to add a check between, if the DNS record is deployed. We can add this check for the future, but our current web-app is blocked for a week now... Which is a show-stopper for us.

This is the snipped of our current implementation. It's just:

Check if certificate exists

If certificate not exists, create a new certificate

Check if binding exists

If binding not exists, create a new binding

Wrapped with a simple retry-logic. The DNS records is deployed a week ago. But "New-AzWebAppCertificat" still fails with the error: The creation of the managed certificate 'xxx' is taking longer than expected. Please re-try the operation 'New-AzWebAppCertificate. The re-try is not helping.

We use Azure Automation and there can be more than one Job in parallel. It would be bad, if multiple calls in the same time for different domains should be a problem. Multiple calls for at the same time for the same domain should not be the case.
TP 150.9K Reputation points Volunteer Moderator

2025-09-03T13:09:14.0366667+00:00

@Jonas Aebersold New-AzWebAppCertificate performs multiple steps. I'm suggesting you instead break things out and do one step at a time. If you want to work through details create a new question.
Endi Zhupani 0 Reputation points

2026-02-24T16:20:02.0666667+00:00

In our case this didn't actually indicate a failed operation. It was just taking too long for the az webapp config ssl create ... command. When using the show command as recommended by the output message, We were able to get the certificate after a few retries. So the operation seems to have continued in the background

Answer 1

Hi

Together with Azure Support, I discovered the solution (or rather, a workaround) more or less by chance. In our Azure Automation Runbook, we always stopped the WebApp immediately after creating it and only started it again once it was fully configured. When you start the web app, you can create the managed certificate without any problems. I don't know if the status code is taken into account when creating the certificate (stopped 403, started 200). In any case, I started the web app as a first test, and then I was able to create the certificate in the Azure portal. Then I removed the stop of the WebApp in the Azure Automation Runbook, the runbook also ran without errors.

For one day we had a workaround, with 100% success rate and multiple retries on different subscriptions. But today this workaround is not working anymore.

Answer 2

Hi Derek,

If you post the domain you are attempting to create managed certificate for in a comment I will run some DNS queries from multiple global points and see if I see anything wrong. Since you have done it so many times there probably isn't anything wrong, but it won't hurt for me to check.

After you attempt to add managed certificate, please see if domain validation token is being created using instructions below.

For example, say you are adding managed certificate for www.yourcustomdomain.com. You start process in Azure portal, then in separate tab you immediately navigate to below link:

https://www.yourcustomdomain.com/.well-known/pki-validation/fileauth.txt

You will get security warning, since certificate hasn't been issued, so click Advanced and then click to continue to site. Every 3 seconds or so, refresh the page. At first, you should receive error similar to below screenshot:

enter image description here

However, if you keep refreshing your browser every few seconds, within a few minutes you should see token appear, which would be similar to below screenshot:

enter image description here

If you keep refreshing the page for 10-15 minutes and token never appears and/or certificate never gets issued, then it means there is an issue and your managed certificate is unlikely to ever get issued.

After the token shows up, if things are working properly your certificate should be issued in about 5-10 minutes. When it is issued if you again browse to above link the token will be replaced by error message since the token is no longer needed and thus removed.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Derek Chan 6 Reputation points

2025-08-29T02:43:57+00:00

thank you, I will try that. screenshot above showing the domain name.

Answer 3

Michele Ariis 7,210 MVP

Hi, the “Request Time-out” error when creating the App Service Managed Certificate is almost always caused by a failed domain check. Check that the host points directly to the app with a CNAME → <appname>.azurewebsites.net (no Front Door/Cloudflare/WAF in the middle; on Cloudflare, set “DNS only”), that there are no blocking CAAs or add issue "digicert.com" (and issuewild "digicert.com" if necessary), and that the app is publicly accessible (Access restrictions disabled, no Private Endpoint/“Public network access: Off” during issuance). Delete any Pending/Failed certificates and the domain binding, re-add the domain, and re-issue; if using the CLI, run it and then check the certificate status with az resource show -g <rg> -n "<hostname>" --resource-type Microsoft.Web/certificates (look at provisioningState/statusReason). If you need to run a proxy in front of you, don't use AMSC: use the Front Door/ALB managed certificate or issue via Key Vault/ACME and connect that to the App Service. If it keeps expiring, collect quick evidence (nslookup -type=CAA domain, nslookup host) and open an App Service ticket asking them to requeue the issuance for the host, including subscription/app/area and the certificate status JSON.

Derek Chan 6 Reputation points

2025-08-29T02:55:48.4566667+00:00

@Michele Ariis thanks. the cname points to trafficmanager as it has for all other domains i have created in the past. This is the first domain I have attempted to created post 28 July. All existing domains and this one are "azure endpoints", not "nested" or "external". I ran all the check scripts here and passed them all. https://learn.microsoft.com/en-us/azure/app-service/app-service-managed-certificate-changes-july-2025
Michele Ariis 7,210 Reputation points MVP

2025-08-29T04:41:03+00:00

The “Request Time-out” error when creating the App Service Managed Certificate (AMSC) almost always depends on the fact that your host points via CNAME to Traffic Manager: after the July 2025 changes, certificate validation must reach the App Service on the domain directly (without TM/CDN/WAF) and read /.well-known/pki-validation. Solutions: 1) Quick workaround: delete the faulty certificate, temporarily point the CNAME to <appname>.azurewebsites.net, make sure the site is public (no Access Restrictions/Private Endpoints) and that any CAAs allow digicert.com, recreate the certificate, then re-bind and, if desired, restore TM (knowing that renewal will require a new flip). 2) Recommended solution with TM/multi-region: do not use AMSC behind TM; Terminate TLS on Azure Front Door/Application Gateway with their managed certificate, or bring your own certificate (ACME/Let's Encrypt or DigiCert via Key Vault/automation) and upload it to App Services. Quick checks: no orange proxies (Cloudflare "DNS only"), no redirects that change Host headers, HTTP/80 reachable for DCV. Status/debug: az resource show ... Microsoft.Web/certificates --query "{state:...,reason:...}"

Share via

Timeout creating new app service managed certificate

3 answers

Your answer