![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 3%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Hi @DB
Thank you for reaching out to Microsoft Q&A.
As discussed on Private chat, You have switched the API's to another service to resolve the availability issue.
Based on the backend investigation the issue is caused by a combination of APIM capacity pressure and managed certificate limitations during service updates, along with a failed domain validation check. The 500 errors are a downstream impact of APIM being under stress when capacity crosses the recommended threshold, which can lead to unexpected behavior during scaling operations, maintenance, or service updates. In parallel, APIM update operations are attempting to create or renew a Managed Certificate for the custom domain, but this process is currently restricted by a platform limitation. As part of the managed certificate workflow, APIM tries to validate domain ownership by retrieving a token from http://api.ganttpro.com/.well-known/pki-validation/fileauth.txt. Since this endpoint is either not reachable, not serving the expected token, or blocked, the certificate validation fails. Additionally, Microsoft has temporarily disabled new managed certificate requests during APIM updates (between August 15, 2025 and March 15, 2026), which further causes the update operation to fail even though existing custom domains remain reachable.
Refer below points to resolve this issue or use as a workaround:
Increase APIM capacity or upgrade SKU APIM capacity is reported above 50%, which is not recommended for stable operations.
- Scale out the APIM instance by increasing the number of units, or
- Upgrade to a higher SKU (for example, from Developer/Basic to Standard or Premium). Keeping capacity consistently below the threshold reduces the risk of 500 errors, VM recycles, and update failures during traffic spikes or maintenance.
Avoid Managed Certificate changes during APIM update window New Managed Certificate requests are temporarily disabled during service updates until March 15, 2026.
- Do not add or modify custom domains with Managed Certificates as part of an APIM update.
- If a domain is already configured with a managed certificate, it will continue to work without impact.
- If a domain change is required, consider postponing the APIM update or using a different certificate approach.
Use a Key Vault–backed (Bring Your Own) certificate instead of Managed Certificate As a workaround, upload a certificate from Azure Key Vault and bind it to the custom domain.
- This avoids the managed certificate creation flow entirely.
- It is the recommended approach when frequent updates or automation are required.
Ensure domain validation endpoint is accessible If you plan to retry managed certificate creation after the restriction period:
- Make sure the endpoint is publicly accessible.
- Verify that it returns the exact token expected by APIM.
- Ensure there are no firewall, WAF, CDN, or redirect rules blocking this path.
Retry APIM update after stabilizing capacity and configuration Once capacity is normalized and certificate configuration is aligned with the supported approach:
- Re-run the APIM update operation.
- Monitor APIM metrics (CPU, memory, capacity) during the update to confirm stability.