Managed Certificates behind traffic manager

Eric Winkler 6 Reputation points
2019-11-13T09:04:21.357+00:00

Hi Folks,

The new managed certificates are an excellent step forward for app service.

Is there a recommended way to use managed certificates on multiple app services that are sitting behind the same traffic manager profile?

Currently, DNS validation stops you from setting this up (awverify records don't help). Although you may be able to temporarily juggle the endpoints a bit to force this through, I fear this may break the auto-renewal in a few months time.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,875 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jørn Andre Sundt 6 Reputation points
    2019-11-27T12:45:40.297+00:00

    We currently have two App Service instances in two different Azure Regions, and we use Traffic Manager for geo-based routing + failover.

    We have our custom domain DNS CNAME record pointing to our [x].trafficmanager.net address, and up till now we have uploaded the same .pfx certificate to both App Service instances and bound it.

    A couple of days ago, we tried to replace the uploaded pfx with a new App Service Managed Certificate, but were blocked by by the feature limitations when using multiple App Services instances behind Traffic Manager.

    Here's what we did:

    1. On App Service instance 1 (region A), we created a new Managed Certificate for our custom domain hostname, and set up the domain/cert binding. This works as expected.
    2. On App Service instance 2 (region B):
      • There is no way to get the certificate created for instance 1 copied into instance 2
      • There is no way to create another Managed Certificate for the same hostname on instance 2
        We get the following error message:
        "Failed to create App Service Managed Certificate for hostname [customhost] Error Details: The resource '[customhost]' already exists in location '[region A]' in resource group '[resourcegroup]'. A resource with the same name cannot be created in location '[region B]'. Please select a new resource name."

    @ajkuma : If there is a way to get this to work, can you please provide the necessary steps to get there?

    1 person found this answer helpful.
  2. ajkuma 22,401 Reputation points Microsoft Employee
    2019-11-14T04:54:02.163+00:00

    Thanks for posting a good question and your valuable feedback!

    Yes! Free Transport Layer Security (TLS) for Azure App Service has been one of the most highly requested features of the service since its inception. While this is still in preview and receiving feedback from the users, our product team is actively working on further enhancements.

    For your question on Managed Certificate behind Traffic Manager - I'm checking on this internally and will get back to you soon.

    Just to highlight, as mentioned in the blog App Service Managed Certificates (preview) and based on your requirement, "If you’re planning to do a live site migration with TXT record, need support for apex domains, or need a wildcard certificate, then use App Service Certificates or bring your own certificate." -

    0 comments
  3. ajkuma 22,401 Reputation points Microsoft Employee
    2019-11-19T07:22:36.253+00:00

    Apologies for the delay! I have received an update from the product team, we now support creating App Service Managed cert for CNAMEs that point to .trafficmanager.net, which in turn points to .azurewebsites.net. Kindly try this out and let us know if you face any issues. Also, our team is working on Azure docs to highlight this update, but there is no ETA on this yet. Hope this helps! Thanks again for your feedback!

  4. Brian Dunnington 1 Reputation point Microsoft Employee
    2020-06-03T20:30:50.883+00:00

    That Powershell script mentioned by @AjayKumar-MSFT does work if you note the 'You would just need to give a different name from previous ASMC created" part. The script in the blog post uses the domain name as the cert name, which wont work because the name will be the same for both regions. But if you modify it to separate out the cert name from the domain name, it worked for me and I was able to secure multiple instances in different regions with the same Traffic Manager domain. 

    $location = "westus"  
$ResourceGroupName = "YourResourceGroupName"  
$AppServicePlanName = "YourAppServicePlanName"  
$appName = "YourAppName"  
$domainName = "yourdomain.trafficmanager.net"  
$certName = "SomeUniqueNameThatIsNotDomainName"  
    
$asp = Get-AzResource -Name $AppServicePlanName `  
    -ResourceGroupName $ResourceGroupName `  
    -ResourceType "Microsoft.Web/serverfarms"  
$AppServicePlanId = $asp.ResourceId  
    
$PropertiesObject = @{  
    canonicalName = $domainName  
    serverFarmId  = $AppServicePlanId  
}  
    
New-AzResource -Name $certName -Location $location `  
    -PropertyObject $PropertiesObject `  
    -ResourceGroupName $ResourceGroupName `  
    -ResourceType Microsoft.Web/certificates `  
    -Force  
    
$freeCert = Get-AzResource -ResourceName $certName `  
    -ResourceGroupName $ResourceGroupName `  
    -ResourceType Microsoft.Web/certificates `  
    
$freeCert  
        
$freeCert.Properties.thumbprint  
    
$PropertiesObject = @{  
    SslState   = "SniEnabled"  
    thumbprint = $freeCert.Properties.thumbprint  
}  
    
$certName = $appName + '/' + $certName  
        
New-AzResource -Name $certName -Location $location `  
    -PropertyObject $PropertiesObject `  
    -ResourceGroupName $ResourceGroupName `  
    -ResourceType Microsoft.Web/sites/hostnameBindings `  
    -Force
  5. matt 1 Reputation point
    2021-07-19T14:05:02.883+00:00

    I've recently struggled with this and have used a part of the script above to get this working for secondary app services when in TM priority mode, see here:

    https://stackoverflow.com/questions/68441838/azure-app-service-managed-certificate-on-secondary-instance-without-downtime

    0 comments