A deleted Azure Front Door (classic) resource continues to renew certificates

GoonerW 11 Reputation points
2022-04-21T05:45:11.06+00:00

I was testing out AFD with my Azure credits and successfully added a domain and allowed AFD to generate a TLS certificate for it.

I deleted the AFD resource as it was no longer needed.

Subsequently, every 9 months since that deletion, I'm seeing new certificate requests being logged for that non-existent AFD resource. Since it's a developer Azure subscription, I can't raise a technical support ticket to get this resolved.

Why is a non-existent AFD resource continuing to request new certificates for a hostname that no longer exists in DNS at all.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
627 questions
{count} vote

2 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee
    2022-04-21T09:28:40.837+00:00

    Hello @GoonerW ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that a deleted Azure Front Door (classic) resource in your subscription continues to sent new requests to renew certificates for that non-existent AFD resource.

    I checked internally regarding this issue and found that this is a known bug where DigiCert continues to send the certificate renewal emails as the binding is not removed and the backend team is working on a fix for this issue.

    Per DigiCert team, if you are receiving DigiCert emails to renew a certificate for a custom domain you already removed, you should be able to click the link in the email and not authorize the order for the certificate (that would cancel the order).
    If you have already tried this and are constantly getting emails in spite of this, we can help you get a one-time free support to get this fixed by the backend team. In case you need help with a one-time free technical support, please send us an email as requested over the private message.

    Kindly let us know if the above helped or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. Ryan Malayter 1 Reputation point
    2022-04-26T21:59:58.293+00:00

    I see the same in the CT log search tool at https://ui.ctsearch.entrust.com/ui/ctsearchui
    All of the domains we once had using Front Door more than a year ago are still having certificates renewed, despite having no afdverify.* DNS records present for more than a year, and the hostnames point to a resource that is not Azure Front Door.

    How is DigiCert even allowing these renewals as there is no domain validation possible? The certificate details clearly indicate Microsoft is requesting these certs:

    Issuer DN: cn=DigiCert TLS RSA SHA256 2020 CA1,o=DigiCert Inc,c=US
    Subject DN: cn=redacted.example.com,o=Microsoft Corporation,l=Redmond,st=Washington,c=US
    Subject Org: Microsoft Corporation