Production outage due to missing TLS binding for custom domain managed by Azure

Question

Production outage due to missing TLS binding for custom domain managed by Azure

Matthew Cabral 20

We are using an Azure-managed certificate for a custom domain.

At one point this morning, the domain began serving the default Azure App Service certificate instead of the expected TLS certificate, and this persisted throughout the day until we manually uploaded and bound our own certificate.

We confirmed using:

openssl s_client -connect <custom-domain>:443 -servername <custom-domain>

The certificate returned had:

CN: *.azurewebsites.net
SAN: only Azure default domains (our custom domain was not included)

This suggests the custom domain was no longer associated with the expected TLS/SSL certificate, and Azure served the default platform certificate instead.

Additional context:

DNS for the custom domain was unchanged
The custom domain remained configured
No intentional changes were made to TLS/SSL settings prior to the issue
The issue was resolved only after replacing the managed certificate with a manually uploaded certificate

We’re looking to understand what may have caused this behavior with the Azure-managed certificate and how to avoid it going forward. Any logs or insights into certificate rotation or binding behavior would be helpful.

Thanks in advance for your help.

Pravallika KV 13,545 Reputation points Microsoft External Staff Moderator

2026-03-25T23:40:42.96+00:00
Hi @Matthew Cabral ,

Thanks for reaching out to Microsoft Q&A.

What probably happened is App Service's free managed certs (ASMC) auto-renew behind the scenes, DigiCert now uses an HTTP-token challenge on port 80 instead of just CNAME. If your app becomes unreachable over HTTP (firewall/VNet/Private Endpoint, IP restrictions, WAF, etc.), or if the token can’t be fetched, the renewal will silently fail. When that managed cert expires (every six months), App Service falls back to the *.azurewebsites.net certificate, so you see the default cert instead of yours.

Your Azure-managed certificate likely failed to renew or rebind temporarily, causing App Service to serve the default *.azurewebsites.net certificate. Even without DNS changes, Azure can drop the binding if:

Domain validation fails during rotation

Internal App Service issues occur

Automatic certificate provisioning encounters an error

To avoid this: Monitor sslBindings/write events, and for critical domains consider using a manually uploaded certificate.

Keep your custom domain publicly reachable on HTTP (port 80) so the DigiCert HTTP-token challenge succeeds.

If you have IP restrictions, VNet integration, Private Endpoints or a front-end (App Gateway, Front Door), allow inbound HTTP from DigiCert’s validation service (or remove the block on port 80 during renewal windows).

Ensure DNS is always valid and in place: CNAME/A record to your .azurewebsites.net - asuid TXT record for the custom-domain validation ID
Magnus H 0 Reputation points

2026-03-26T11:09:26.6766667+00:00

Hi @Pravallika KV ,

I wanted to add to this that we (no affiliation to Matthew) experienced the exact same situation around the same time that Matthew posted his question. We have several API Management instances using managed certificates for custom domains. The custom domain binding stopped working for all these instances at the same time. The CNAME and TXT records have not been not changed, and the managed certificates do not expire until 4/15/2026.
Matthew Cabral 20 Reputation points

2026-03-26T11:24:51.5433333+00:00
Thanks for the explanation

One thing I wanted to point out is that the certificate in question was showing an expiry date of April 26, so it was still valid at the time of the issue (March 25).

Given that, I would have expected the existing certificate to continue being served even if a renewal attempt had failed.

Instead, the domain began serving the default *.azurewebsites.net certificate, which suggests the binding to the existing valid certificate was no longer in place.

For context, there were no restrictions in place that would block HTTP validation:

No WAF

No IP restrictions

No private endpoints or networking changes

The domain was publicly reachable over port 80

Could you clarify why a still-valid managed certificate would no longer be served in this scenario? Is it expected behavior for the binding to be dropped during a failed renewal or validation attempt? Are there no systems in place to notify of renewal failures?

Answer accepted by question author

0 additional answers

Your answer

Pravallika KV 13,545 Reputation points Microsoft External Staff Moderator

2026-03-25T23:40:42.96+00:00

Hi @Matthew Cabral ,

Thanks for reaching out to Microsoft Q&A.

What probably happened is App Service's free managed certs (ASMC) auto-renew behind the scenes, DigiCert now uses an HTTP-token challenge on port 80 instead of just CNAME. If your app becomes unreachable over HTTP (firewall/VNet/Private Endpoint, IP restrictions, WAF, etc.), or if the token can’t be fetched, the renewal will silently fail. When that managed cert expires (every six months), App Service falls back to the *.azurewebsites.net certificate, so you see the default cert instead of yours.

Your Azure-managed certificate likely failed to renew or rebind temporarily, causing App Service to serve the default *.azurewebsites.net certificate. Even without DNS changes, Azure can drop the binding if:

Domain validation fails during rotation

Internal App Service issues occur

Automatic certificate provisioning encounters an error

To avoid this: Monitor sslBindings/write events, and for critical domains consider using a manually uploaded certificate.

Keep your custom domain publicly reachable on HTTP (port 80) so the DigiCert HTTP-token challenge succeeds.

If you have IP restrictions, VNet integration, Private Endpoints or a front-end (App Gateway, Front Door), allow inbound HTTP from DigiCert’s validation service (or remove the block on port 80 during renewal windows).

Ensure DNS is always valid and in place: CNAME/A record to your .azurewebsites.net - asuid TXT record for the custom-domain validation ID
Magnus H 0 Reputation points

2026-03-26T11:09:26.6766667+00:00

Hi @Pravallika KV ,

I wanted to add to this that we (no affiliation to Matthew) experienced the exact same situation around the same time that Matthew posted his question. We have several API Management instances using managed certificates for custom domains. The custom domain binding stopped working for all these instances at the same time. The CNAME and TXT records have not been not changed, and the managed certificates do not expire until 4/15/2026.
Matthew Cabral 20 Reputation points

2026-03-26T11:24:51.5433333+00:00

Thanks for the explanation

One thing I wanted to point out is that the certificate in question was showing an expiry date of April 26, so it was still valid at the time of the issue (March 25).

Given that, I would have expected the existing certificate to continue being served even if a renewal attempt had failed.

Instead, the domain began serving the default *.azurewebsites.net certificate, which suggests the binding to the existing valid certificate was no longer in place.

For context, there were no restrictions in place that would block HTTP validation:

No WAF

No IP restrictions

No private endpoints or networking changes

The domain was publicly reachable over port 80

Could you clarify why a still-valid managed certificate would no longer be served in this scenario? Is it expected behavior for the binding to be dropped during a failed renewal or validation attempt? Are there no systems in place to notify of renewal failures?

Answer 1

Hello Matthew Cabral,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having production outage due to missing TLS binding for custom domain managed by Azure.

The outage was caused by loss or corruption of TLS binding between the custom domain and Azure-managed certificate, likely due to platform-side sync failure or internal service issue, NOT renewal failure. Since your cert is not yet expired till April, the below steps can help you fix the issue:

Enforce binding integrity monitoring by monitor Azure Activity Logs: `Microsoft.Web/sites/hostNameBindings/write` `Microsoft.Web/certificates/write` `sslBindings/write` Detects unexpected binding changes.
Implement synthetic TLS monitoring by run continuous checks using bash command: openssl s_client -connect domain:443 -servername domain Alert if: CN != expected domain
Add automatic recovery script or automation. Check binding if missing > rebind certificate. Use this bash az webapp config ssl bind This directly addresses failure mode.- [ https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-azure-app-service-certificates]
Avoid sole dependence on Managed Certificates the recommended for production is to use: Azure Key Vault + custom cert OR External CA + manual upload. Because, managed certs have no SLA for binding continuity.
Force periodic certificate to sync by using this bash command: Rekey and Sync > Sync This will help fixes stale or broken bindings. - https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-domain-and-tls-ssl-certificates
Enable Azure Alerts on:
- Certificate nearing expiry
- Binding changes
- App Service configuration changes
If the issue persist escalate to official Microsoft support by raising ticket. You can request:
- RCA (Root Cause Analysis)
- Incident ID

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Share via

Production outage due to missing TLS binding for custom domain managed by Azure

0 additional answers

Your answer