Share via

App Service Managed Certificate renewal with Cloudflare-proxied CNAME

Nas 25 Reputation points
2026-04-17T00:46:06.57+00:00

Hello Microsoft Support,

We are using Azure App Service behind Cloudflare.

We have found that when a custom domain CNAME is proxied in Cloudflare, Azure App Service Managed Certificate validation fails on the CNAME check, although the TXT validation passes. If we temporarily change the record to DNS only (unproxied), validation succeeds and the certificate is issued.

We would like to confirm:

  1. Is this expected behavior?
  2. Will the same issue affect automatic renewal of the App Service Managed Certificate?
  3. Are App Service Managed Certificates officially supported for domains that remain permanently proxied through Cloudflare?
  4. If not, what is the recommended certificate approach for App Service origins behind Cloudflare?

This is important for us because we need a reliable long-term certificate renewal model for production domains fronted by Cloudflare.

Kind regards,

Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

Answer accepted by question author

  1. Aditya N 2,960 Reputation points Microsoft External Staff Moderator
    2026-04-17T04:13:01.33+00:00

    Hello @Nasir Ahmed

    Thank you for your detailed follow-up and for referencing the official documentation.

    Based on the latest updates to App Service Managed Certificates (ASMC), the behavior you’re observing can be clarified as follows:

    Cloudflare-proxied CNAME is not an officially unsupported scenario for ASMC. Current Microsoft documentation does not list Cloudflare, DNS proxying, or CDN-fronted domains as unsupported for either certificate issuance or renewal.User's image

    What changed (July–November 2025 updates):

    • From July 28, 2025, ASMC uses HTTP token validation instead of relying solely on DNS validation
    • From November 2025, validation requests from DigiCert are handled directly by the App Service front-end layer, not your app
    • Validation is performed via: https://<your-domain>/.well-known/pki-validation/...

    Implications for Cloudflare-proxied domains:

    • Since validation is now HTTP-based and handled at the platform level, Cloudflare proxying (orange cloud) should not block certificate issuance or renewal, as long as:
      • The domain publicly resolves
        • HTTPS traffic can reach Azure App Service endpoints
        • The earlier issue you observed (CNAME validation failing when proxied) is tied to the custom domain verification step in App Service, not the ASMC issuance/renewal process itself

    Regarding renewals:

    • If the certificate was successfully issued under the new validation model and all requirements remain satisfied, automatic renewal should continue to work, even with Cloudflare proxying enabled.

    Reference:
    https://techcommunity.microsoft.com/blog/appsonazureblog/important-changes-to-app-service-managed-certificates-is-your-certificate-affect/4435193
    If the answer is helpful,  Please do click "Accept the answer” and Yes, this can be beneficial to other community members.

    If you have any other questions, let me know in the "comments" and I would be happy to help you

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.