A deleted Azure Front Door (classic) resource continues to renew certificates

Question

A deleted Azure Front Door (classic) resource continues to renew certificates

GoonerW 11

I was testing out AFD with my Azure credits and successfully added a domain and allowed AFD to generate a TLS certificate for it.

I deleted the AFD resource as it was no longer needed.

Subsequently, every 9 months since that deletion, I'm seeing new certificate requests being logged for that non-existent AFD resource. Since it's a developer Azure subscription, I can't raise a technical support ticket to get this resolved.

Why is a non-existent AFD resource continuing to request new certificates for a hostname that no longer exists in DNS at all.

Ryan Malayter 1 Reputation point

2022-04-26T21:42:51.047+00:00

I am having the same issue. Certificate Transparency logs show Microsoft renewing certificates for host names that were removed from Front Door more than a year ago. This is likely a violation of the CA Browser Forum guidelines, as you are obtaining certificates from domains which you do not control and for which Azure is no longer authorized to issue certificates (the "afdverify" DNS records are gone, and the DNS for the hostnames in question no longer point to Aazure Front Door). Please fix immediately; this should likely also be reported to the CA-Browser forum as a mis-issuance event.
GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-04-27T11:38:13.813+00:00

Hello @Ryan Malayter ,

The Azure Front Door Product group team is aware of this issue and is already working on a fix.
If you are facing this issue, it needs to be fixed from the backend. So if you have a support plan, I request you file a support ticket.

Regards,
Gita
GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-05-06T05:39:02.797+00:00

Hello @GoonerW ,

I'm following up on this post to check if you were able to see the private message as we have not received your email yet.
Awaiting your response to proceed further.

Regards,
Gita

Ryan Malayter 1 Reputation point

2022-04-26T21:42:51.047+00:00

I am having the same issue. Certificate Transparency logs show Microsoft renewing certificates for host names that were removed from Front Door more than a year ago. This is likely a violation of the CA Browser Forum guidelines, as you are obtaining certificates from domains which you do not control and for which Azure is no longer authorized to issue certificates (the "afdverify" DNS records are gone, and the DNS for the hostnames in question no longer point to Aazure Front Door). Please fix immediately; this should likely also be reported to the CA-Browser forum as a mis-issuance event.
GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-04-27T11:38:13.813+00:00

Hello @Ryan Malayter ,

The Azure Front Door Product group team is aware of this issue and is already working on a fix.
If you are facing this issue, it needs to be fixed from the backend. So if you have a support plan, I request you file a support ticket.

Regards,
Gita
GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-05-06T05:39:02.797+00:00

Hello @GoonerW ,

I'm following up on this post to check if you were able to see the private message as we have not received your email yet.
Awaiting your response to proceed further.

Regards,
Gita

Answer 1

GitaraniSharma-MSFT 32,821 Microsoft Employee

Hello @GoonerW ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that a deleted Azure Front Door (classic) resource in your subscription continues to sent new requests to renew certificates for that non-existent AFD resource.

I checked internally regarding this issue and found that this is a known bug where DigiCert continues to send the certificate renewal emails as the binding is not removed and the backend team is working on a fix for this issue.

Per DigiCert team, if you are receiving DigiCert emails to renew a certificate for a custom domain you already removed, you should be able to click the link in the email and not authorize the order for the certificate (that would cancel the order).
If you have already tried this and are constantly getting emails in spite of this, we can help you get a one-time free support to get this fixed by the backend team. In case you need help with a one-time free technical support, please send us an email as requested over the private message.

Kindly let us know if the above helped or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

GoonerW 11 Reputation points

2022-04-22T03:22:10.03+00:00

(Edit: Should've clicked comment here instead of making a new answer)

I'm not receiving any emails from DigiCert (nor did I ever receive any when setting AFD up). The only notice I'm receiving is due to monitoring Certificate
Transparency logs showing this specific cert renewal from DigiCert approximately every 9 months.
GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-04-25T11:40:17.743+00:00

Hello @GoonerW ,

Thank you for the update.

Please drop us an email as requested in the private message, so that we can enable a one-time free support for you for further investigation on this issue.

Regards,
Gita
GoonerW 11 Reputation points

2022-04-26T00:32:21.64+00:00

Thanks for the response. I cannot see any private message that you are referring to so I am unable to send any email as requested.
GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-04-27T11:32:34.413+00:00

Hello @GoonerW ,

I have added the message again in the comment section. It should be visible to you now. Please drop us an email as requested.

Regards,
Gita
GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-05-02T13:53:29.913+00:00

Hello @GoonerW ,

Could you please provide an update on this post?

I have added the private message again in the comment section. It should be visible to you now. Please drop us an email as requested.

Regards,
Gita
GoonerW 11 Reputation points

2022-06-01T00:59:46.41+00:00

Apologies for not replying sooner. Perhaps the private message has expired. I still cannot see any private message link in any of your comments.
GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-06-07T08:13:38.827+00:00

Hello @GoonerW , I've added the message again. Could you please check & respond?
GoonerW 11 Reputation points

2022-06-17T01:44:50.463+00:00

Email sent.

Answer 2

I see the same in the CT log search tool at https://ui.ctsearch.entrust.com/ui/ctsearchui
All of the domains we once had using Front Door more than a year ago are still having certificates renewed, despite having no afdverify.* DNS records present for more than a year, and the hostnames point to a resource that is not Azure Front Door.

How is DigiCert even allowing these renewals as there is no domain validation possible? The certificate details clearly indicate Microsoft is requesting these certs:

Issuer DN: cn=DigiCert TLS RSA SHA256 2020 CA1,o=DigiCert Inc,c=US
Subject DN: cn=redacted.example.com,o=Microsoft Corporation,l=Redmond,st=Washington,c=US
Subject Org: Microsoft Corporation

GitaraniSharma-MSFT 32,821 Reputation points Microsoft Employee

2022-04-27T11:38:54.203+00:00

Hello @Ryan Malayter ,

The Azure Front Door Product group team is aware of this issue and is already working on a fix.
If you are facing this issue, it needs to be fixed from the backend. So if you have a support plan, I request you file a support ticket.

Regards,
Gita

A deleted Azure Front Door (classic) resource continues to renew certificates

2 answers

Activity