question

EricWinkler-2829 avatar image
1 Vote"
EricWinkler-2829 asked ·

Managed Certificates behind traffic manager

Hi Folks,

The new managed certificates are an excellent step forward for app service.

Is there a recommended way to use managed certificates on multiple app services that are sitting behind the same traffic manager profile?

Currently, DNS validation stops you from setting this up (awverify records don't help). Although you may be able to temporarily juggle the endpoints a bit to force this through, I fear this may break the auto-renewal in a few months time.

azure-webapps
· 1
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @EricWinkler-2829, if the below response answered your question, feel free to "accept" the answer. Please let us know if you have further questions.

0 Votes 0 ·
ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered ·

Thanks for posting a good question and your valuable feedback!

Yes! Free Transport Layer Security (TLS) for Azure App Service has been one of the most highly requested features of the service since its inception. While this is still in preview and receiving feedback from the users, our product team is actively working on further enhancements.


For your question on Managed Certificate behind Traffic Manager - I'm checking on this internally and will get back to you soon.

Just to highlight, as mentioned in the blog App Service Managed Certificates (preview) and based on your requirement, "If you’re planning to do a live site migration with TXT record, need support for apex domains, or need a wildcard certificate, then use App Service Certificates or bring your own certificate." -



10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered ·

Apologies for the delay! I have received an update from the product team, we now support creating App Service Managed cert for CNAMEs that point to .trafficmanager.net, which in turn points to .azurewebsites.net. Kindly try this out and let us know if you face any issues. Also, our team is working on Azure docs to highlight this update, but there is no ETA on this yet. Hope this helps! Thanks again for your feedback!


· 3
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EricWinkler-2829, Kindly let us know if the above post was helpful or you need further assistance.

0 Votes 0 ·

Thanks for getting back to me. I can see there is partial support for webapps behind traffic manager, however the support is limited to how reachable the webapp is according to the traffic manager profile.

For example;

  • Using priority based routing, it is only possible to configure the certificate on the webapp configured as the #1 endpoint

  • Using performance based routing, the UI intermittently flips between eligible and not eligible for certificate creation

0 Votes 0 ·

@ajkuma-MSFT I was having similar problems creating a App Service managed certificate for an App Service running in an ASE with ILB. The domains for the ASE are different than the .azurewebsites.net. Do you know if this should be resolved as well ? Do I need to make a separate posting ?

.scm.appserviceenvironment.net
.appserviceenvironment.net

0 Votes 0 ·
JrnAndreSundt-6935 avatar image
1 Vote"
JrnAndreSundt-6935 answered ·

We currently have two App Service instances in two different Azure Regions, and we use Traffic Manager for geo-based routing + failover.

We have our custom domain DNS CNAME record pointing to our [x].trafficmanager.net address, and up till now we have uploaded the same .pfx certificate to both App Service instances and bound it.

A couple of days ago, we tried to replace the uploaded pfx with a new App Service Managed Certificate, but were blocked by by the feature limitations when using multiple App Services instances behind Traffic Manager.

Here's what we did:

  1. On App Service instance 1 (region A), we created a new Managed Certificate for our custom domain hostname, and set up the domain/cert binding. This works as expected.

  2. On App Service instance 2 (region B):

    • There is no way to get the certificate created for instance 1 copied into instance 2

    • There is no way to create another Managed Certificate for the same hostname on instance 2
      We get the following error message:
      "Failed to create App Service Managed Certificate for hostname [customhost] Error Details: The resource '[customhost]' already exists in location '[region A]' in resource group '[resourcegroup]'. A resource with the same name cannot be created in location '[region B]'. Please select a new resource name."

@ajkuma-MSFT: If there is a way to get this to work, can you please provide the necessary steps to get there?






· 3
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Apologies for the delay! I'm checking on this and will get back to you soon.

0 Votes 0 ·

Currently, from the portal you cannot create ASMC (App Service Managed Certificate) for the same hostname in another region. However, you can use a Powershell script. Here’s a link to a [blog][1] that has a sample of the script. You would just need to give a different name from the previous ASMC created.

Note: This post contains a third-party site for your reference & convenience to you only, please exercise caution while accessing 3rd party sites.
[1]: https://dotnetdevlife.wordpress.com/2019/11/11/app-service-managed-certificate/

0 Votes 0 ·

Hi Team,
We have similar issue and tried to apply the powershell script for 2nd instance but that has failed. Are there any other reference documentation?

0 Votes 0 ·
brian avatar image
0 Votes"
brian answered ·

That Powershell script mentioned by @AjayKumarMSFT does work if you note the 'You would just need to give a different name from previous ASMC created" part. The script in the blog post uses the domain name as the cert name, which wont work because the name will be the same for both regions. But if you modify it to separate out the cert name from the domain name, it worked for me and I was able to secure multiple instances in different regions with the same Traffic Manager domain.

 $location = "westus"
 $ResourceGroupName = "YourResourceGroupName"
 $AppServicePlanName = "YourAppServicePlanName"
 $appName = "YourAppName"
 $domainName = "yourdomain.trafficmanager.net"
 $certName = "SomeUniqueNameThatIsNotDomainName"
      
 $asp = Get-AzResource -Name $AppServicePlanName `
     -ResourceGroupName $ResourceGroupName `
     -ResourceType "Microsoft.Web/serverfarms"
 $AppServicePlanId = $asp.ResourceId
      
 $PropertiesObject = @{
     canonicalName = $domainName
     serverFarmId  = $AppServicePlanId
 }
      
 New-AzResource -Name $certName -Location $location `
     -PropertyObject $PropertiesObject `
     -ResourceGroupName $ResourceGroupName `
     -ResourceType Microsoft.Web/certificates `
     -Force
      
 $freeCert = Get-AzResource -ResourceName $certName `
     -ResourceGroupName $ResourceGroupName `
     -ResourceType Microsoft.Web/certificates `
      
 $freeCert
          
 $freeCert.Properties.thumbprint
      
 $PropertiesObject = @{
     SslState   = "SniEnabled"
     thumbprint = $freeCert.Properties.thumbprint
 }
      
 $certName = $appName + '/' + $certName
          
 New-AzResource -Name $certName -Location $location `
     -PropertyObject $PropertiesObject `
     -ResourceGroupName $ResourceGroupName `
     -ResourceType Microsoft.Web/sites/hostnameBindings `
     -Force

· 4
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@brian, Glad it worked. Thanks for the update
As brian mentioned, requesting everyone to try the the above script and ensure that you are giving a different name for ASMC and that cert/domain name are unique

0 Votes 0 ·

HI Brian/Ajay, I tried the same , created the certificate as described, attached with the primary instance successfully. However when tried to attach the same certificate with the secondary instance it failed. At the same time when I tried to create another certificate with the same canonical name (domain) but different certificate name it says certificate already exists.

If you please post a working sample code where you are able to create two certificates for the same domain and attaching with two different function app then it will be very helpful for me

0 Votes 0 ·

Hi Brian,
As you suggested I tried to create the cert with a different uniqueue name which is not the traffic manager domain. However while creating the SSL binding it failed with below error.
In my case I have defined $certName = "abctest"

!9783-capture.jpg

If I revert it to the traffiicmanager domain it works for the first instance but doesn't work for other instance. fails with same error. Can you please advice what I am missing here?

Regards
Bijesh


0 Votes 0 ·
error.jpg (69.6 KiB)

@BijeshRoy-9470 Have you managed to get this work?

0 Votes 0 ·
matt-7925 avatar image
0 Votes"
matt-7925 answered ·

I've recently struggled with this and have used a part of the script above to get this working for secondary app services when in TM priority mode, see here:

https://stackoverflow.com/questions/68441838/azure-app-service-managed-certificate-on-secondary-instance-without-downtime

10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.