Domain validation steps for Azure Front Door Standard SKU certificate renewal

Question

Domain validation steps for Azure Front Door Standard SKU certificate renewal

Pitawat 351

I am using Azure Front Door Standard SKU (Preview) with AFD-managed certificate. My custom domain is proxied through Cloudflare thus running nslookup won't show Front Door's endpoint xxxx.z01.azurefd.net.

When I add a new custom domain to Azure Front Door, it will ask me to add a TXT record _dnsauth.test.example.com with verification token and the domain Provisioning state would be "Succeeded" and Validation state would be "Approved". I then add a CNAME record that points to test.z01.azurefd.net and the connection would work.

When the AFD-managed certificate nearly expires, Front Door would automatically renew the certificate. I understand that before each renewal, it would validate domain ownership. I would like to know if it will check for CNAME record that points to test.z01.azurefd.net or it will check for the same TXT record that I added during custom domain creation?

My concern is that I would like to proxy my domain name though Cloudflare and if it checks for CNAME record, it would fail. But there will be no problem if it checks for the TXT record like it did during custom domain creation.

Which DNS record does it validate?

Thank you.

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2022-03-25T23:01:00.08+00:00

Hello @Pitawat ,
I have reached out to the team internally regarding this issue and will keep you updated as soon as I have a response. Thank you!

1 answer

Your answer

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2022-03-25T23:01:00.08+00:00

Hello @Pitawat ,
I have reached out to the team internally regarding this issue and will keep you updated as soon as I have a response. Thank you!

Answer 1

ChaitanyaNaykodi-MSFT 27,481 Microsoft Employee Moderator

Hello @Pitawat ,

It will validate the CNAME DNS record. As per the documentation here the auto rotation won't happen if your custom domain points to Azure Front Door through a long chain, for example, putting an Azure Traffic Manager before Azure Front Door and other CDN providers. The domain validation state will become ‘Pending Revalidation’ 45 days before managed certificate expiry or ‘Rejected’ if the managed certificate issuance is rejected by the certificate authority.

You can go through this Domain validation state documentation for required action for each state.

In case of Pending re-validation state. This happens when the managed certificate is 45 days or less from expiry. If the custom domain is pointing to other CNAME records, please click on ‘Pending Revalidation’ and hit ‘Regenerate’ on the ‘Validate the custom domain’ page. Then click on Add or add the TXT record with your own DNS provider’s DNS management.

Hope this helps! Please let me know if you have any additional questions. Thank you!

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Pitawat 351 Reputation points

2022-03-29T03:00:48.243+00:00

Hello @ChaitanyaNaykodi-MSFT ,

Thank you for your reply.

I have also contacted Azure support and after some conversations with the support agent, he told me that once the domain validation passed for the first time (during adding custom domain to AFD), it will not re-validate and that the CNAME record does not need to be seen pointing to test.z01.azurefd.net endpoint when renewing AFD-managed certificate.

His reply conflicts with your answer and the documentation you provided. Would you mind looking into my support ticket?

Thank you.
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2022-03-29T18:06:38.14+00:00

Hello @Pitawat , Thank you for your response. Sure, I will have a look at the support ticket. I have made a private message above. Can you please share the support ticket number there? Thanks.
Pitawat 351 Reputation points

2022-04-20T13:03:23.577+00:00

@ChaitanyaNaykodi-MSFT it's been 3 weeks since I provided you the support ticket number. Is there any update or someone who can look into this issue? Thank you.
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2022-04-21T20:57:06.487+00:00

Hello @Pitawat ,
Apologies for the delayed response here.

I got a response back from the product team. The information shared in my answer above is correct. The auto-renewal will happen only when the domain is directly CNAMEd to AFD endpoint. Otherwise, re-validation is required for renewal of the managed cert.

Hope this helps! Thank you for your patience throughout this process. Please let me know if you have any additional questions.
Erik O'Leary 16 Reputation points

2023-05-04T01:43:33.6233333+00:00

Why is it necessary to do this manually for CNAME records?
steve 0 Reputation points

2023-12-18T22:59:09.08+00:00

This will result in a lot of extra work. Is there no other workaround?

Share via

Domain validation steps for Azure Front Door Standard SKU certificate renewal

1 answer

Your answer