Why can't I bind this this wildcard SSL cert to a custom domain on my App Service?

NSou 21

I have uploaded a wildcard private key certificate, but cannot use it for SSL binding for the root domain. When I go to add SSL binding and select my custom domain, it says, "No certificates match the selected custom domain."
Uploaded cert:

Error when trying to do SSL binding:

Ryan Hill 25,661 Reputation points Microsoft Employee

2021-10-11T19:09:46.813+00:00

Hi @NSou , just want to make sure your private cert meets the requirements. Does Run All Certificates & Domains checks detector under Diagnose and solve problems blade report any warnings or errors?
NSou 21 Reputation points

2021-10-11T19:46:51.95+00:00
HI @Ryan Hill . I appreciate the help.
I believe our cert meets the requirements. This is a wildcard cert and we have already used it for app service SSL binding for some subdomains. (The binding giving us trouble is for the root domain)

The Run All Certificates & Domain checks feature looks useful, but I find it a bit confusing. It is reporting some warnings/errors that are unexpected for the given time range. Here's what I found:

Identified URLs that could not be assigned to the site.

It lists here the www. subdomain, which I have not tried to assign or bind. (I tried once about 3 hours ago and it rightfully failed, but I ran the diagnostics for the past hour only)

Following certificates cannot be used for configuring SSL Bindings for this web app

The description here says, " The following table lists Private Certificates (.PFX) that were found in the same server farm as your webapp, however they are issued to a URL that your webapp currently is not configured to listen on. Although these certificates are accessible by code in your application, they cannot be used to configure an SSL Binding."

It lists our wildcard cert here and I'm not sure why. As I mentioned, we've used this same cert for app services that host subdomains. Is that why this is showing up?

Thank you again for your help
Ryan Hill 25,661 Reputation points Microsoft Employee

2021-10-11T20:23:05.83+00:00

What happens if you try with the CLI?
NSou 21 Reputation points

2021-10-11T20:41:57.19+00:00
The operation appears to be successful. I only ran the command to bind the cert and there were no errors. The only output was the resource JSON. However, the portal shows that no SSL binding is in place.

az webapp config ssl bind --certificate-thumbprint $thumbprint --ssl-type SNI \ --name $webappname --resource-group $resourceGroup

Accepted answer

Lex Li (Microsoft) 4,662 Reputation points Microsoft Employee

2021-10-12T05:42:13.263+00:00

It is well discussed elsewhere that a wildcard certificate might not work for root domain,

https://serverfault.com/questions/310530/should-a-wildcard-ssl-certificate-secure-both-the-root-domain-as-well-as-the-sub/310545

You need the CA to include the root domain in Alternative Subject Name.
Please sign in to rate this answer.
NSou 21 Reputation points

2021-10-12T19:23:50.807+00:00

Thanks, this likely seems like the issue. We are pursuing getting a version of the wildcard cert which includes the root domain.

NSou 21 Reputation points

2021-10-13T17:14:44.92+00:00

This was the issue. It feels so obvious now, but really had us stumped. Thanks for the help!
Sign in to comment

Why can't I bind this this wildcard SSL cert to a custom domain on my App Service?

0 additional answers