question

EricWinkler-2829 avatar image
1 Vote"
EricWinkler-2829 asked ·

Managed Certificates behind traffic manager

Hi Folks,

The new managed certificates are an excellent step forward for app service.

Is there a recommended way to use managed certificates on multiple app services that are sitting behind the same traffic manager profile?

Currently, DNS validation stops you from setting this up (awverify records don't help). Although you may be able to temporarily juggle the endpoints a bit to force this through, I fear this may break the auto-renewal in a few months time.

azure-webapps
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @EricWinkler-2829, if the below response answered your question, feel free to "accept" the answer. Please let us know if you have further questions.

0 Votes 0 · ·
ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered ·

Thanks for posting a good question and your valuable feedback!

Yes! Free Transport Layer Security (TLS) for Azure App Service has been one of the most highly requested features of the service since its inception. While this is still in preview and receiving feedback from the users, our product team is actively working on further enhancements.

For your question on Managed Certificate behind Traffic Manager - I'm checking on this internally and will get back to you soon.

Just to highlight, as mentioned in the blog App Service Managed Certificates (preview) and based on your requirement, "If you’re planning to do a live site migration with TXT record, need support for apex domains, or need a wildcard certificate, then use App Service Certificates or bring your own certificate." -

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered ·

Apologies for the delay! I have received an update from the product team, we now support creating App Service Managed cert for CNAMEs that point to .trafficmanager.net, which in turn points to .azurewebsites.net. Kindly try this out and let us know if you face any issues. Also, our team is working on Azure docs to highlight this update, but there is no ETA on this yet. Hope this helps! Thanks again for your feedback!

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EricWinkler-2829, Kindly let us know if the above post was helpful or you need further assistance.

0 Votes 0 · ·

Thanks for getting back to me. I can see there is partial support for webapps behind traffic manager, however the support is limited to how reachable the webapp is according to the traffic manager profile.

For example;

  • Using priority based routing, it is only possible to configure the certificate on the webapp configured as the #1 endpoint

  • Using performance based routing, the UI intermittently flips between eligible and not eligible for certificate creation

0 Votes 0 · ·

@ajkuma-MSFT I was having similar problems creating a App Service managed certificate for an App Service running in an ASE with ILB. The domains for the ASE are different than the .azurewebsites.net. Do you know if this should be resolved as well ? Do I need to make a separate posting ?

.scm.appserviceenvironment.net .appserviceenvironment.net

0 Votes 0 · ·
JrnAndreSundt-6935 avatar image
1 Vote"
JrnAndreSundt-6935 answered ·

We currently have two App Service instances in two different Azure Regions, and we use Traffic Manager for geo-based routing + failover.

We have our custom domain DNS CNAME record pointing to our [x].trafficmanager.net address, and up till now we have uploaded the same .pfx certificate to both App Service instances and bound it.

A couple of days ago, we tried to replace the uploaded pfx with a new App Service Managed Certificate, but were blocked by by the feature limitations when using multiple App Services instances behind Traffic Manager.

Here's what we did:

  1. On App Service instance 1 (region A), we created a new Managed Certificate for our custom domain hostname, and set up the domain/cert binding. This works as expected.

  2. On App Service instance 2 (region B):

    • There is no way to get the certificate created for instance 1 copied into instance 2

    • There is no way to create another Managed Certificate for the same hostname on instance 2
      We get the following error message:
      "Failed to create App Service Managed Certificate for hostname [customhost] Error Details: The resource '[customhost]' already exists in location '[region A]' in resource group '[resourcegroup]'. A resource with the same name cannot be created in location '[region B]'. Please select a new resource name."

@ajkuma-MSFT: If there is a way to get this to work, can you please provide the necessary steps to get there?

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Apologies for the delay! I'm checking on this and will get back to you soon.

0 Votes 0 · ·

Currently, from the portal you cannot create ASMC (App Service Managed Certificate) for the same hostname in another region. However, you can use a Powershell script. Here’s a link to a [blog][1] that has a sample of the script. You would just need to give a different name from the previous ASMC created.

Note: This post contains a third-party site for your reference & convenience to you only, please exercise caution while accessing 3rd party sites. [1]: https://dotnetdevlife.wordpress.com/2019/11/11/app-service-managed-certificate/

0 Votes 0 · ·

Hi Team, We have similar issue and tried to apply the powershell script for 2nd instance but that has failed. Are there any other reference documentation?

0 Votes 0 · ·