Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,005 questions
Need to remove .azurewebsites.net cert from my App Service custom domain
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 57.00000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Michael Dunkel
0
Reputation points
I have an App Service servicing an API for a device with older, finicky SSL requirements. It can't accept multiple SSL certs on a domain and recognize the appropriate one to use, the domain has to only have the single cert it expects.
In addition to the default *.azurewebsites.net domain we have created two custom domains. Each of them has a cert assigned to them with the SNI SSL binding type. The issue is that while each custom domain has the appropriate bound cert, according to the devices (and to SSL Labs server test) both of the custom domains are also returning the *.azurewebsites.net ssl cert as well.
Originally we only had a single custom domain, and the cert was attached with an IP binding rather than SNI, and that kept the default cert from being passed on. However when we created the second custom domain the IP-based binding from the first domain was returned to the second domain. In order to ensure that each cert stayed in it's own domain we had to bind them as SNI SSL, but that leads to the default cert coming through as well.
Is there a way to restrict this default cert from the custom domains using App Service configuration? I would prefer not to create additional App Service Domain resources to wrap my App Service.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
ajkuma 22,841 Reputation points Microsoft Employee2024-05-03T12:25:31.99+00:00 @Michael Dunkel , Based on my understanding of your questions description,
The
*.azurewebsites.netdomain name and the certificate is provided and owned by Azure.I understand the requirement of removing the default domain, but there is no way disable it. You could instead accomplish this by adding a
rewrite rule(Or Redirect rule).A rule to detect if the user has accessed the website using the Azure default domain and issue a HTTP 301 or 403.
Just to highlight, by default, http://yourdomain.azurewebsites.net works even with custom domain added, and the site admins aware about the URL can access, but typically end users would not access this URL directly (unless explicitly shared).
Reference on other approaches outlined in the similar discussion threads:
- can-we-remove-disable-http-domain-azurewebsites-ne
- prevent-azure-default-domains-being-indexed-search-engines-anton-pham
- How to make sure that google doesn't index you Azure subdomain? - You may try adding a robot.txt file for Google indexing the site as mentioned by Peter on SO discussion thread.
I'd posted an answer on similar discussion thread:
- azurewebsites.net domain indexed in google
- can we remove/disable http://domain.azurewebsites.net domain after adding custom domain?
More info:
App Service *.azurewebsites.net TLS Cert Renewal for Web Apps, Functions, and Logic Apps (Standard)
Kindly let us know if my understanding is correct, or please share more details about your scenario/requirement.
If the answer helped (pointed, you in the right direction) > please click Accept Answer - it will help users to find the answers quickly.
-
ajkuma 22,841 Reputation points Microsoft Employee
2024-05-06T10:54:00.4433333+00:00 @Michael Dunkel , If the answer helped (pointed, you in the right direction) > please click Accept Answer - it will help users to find the answers quickly.
-
Michael Dunkel 0 Reputation points
2024-05-07T12:35:04.1433333+00:00 Thanks very much for the response! That's unfortunately not the exact scenario we are seeing here. We are not concerned with whether the service is actually accessible through the *.azurewebsites.net domain, and indeed it's not being accessed via that domain, but through the custom domain we have created.
The issue is that even when the server is hit through our custom domain their are two SSL certs being served, the *.azurewebsites.net, and the cert for our custom domain. The device sees the *.azurewebsites.net cert, which does not match the domain it used, and does not have the CA for, and refuses the connection for some of its actions. We have confirmed using SSL Labs Server Test on our custom domain that the azurewebsites cert is being served along the custom one.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Ben Gimblett 3,580 Reputation points Microsoft Employee2024-05-07T13:33:11.4033333+00:00 @Michael Dunkel could you share the public name here, for the behaviour you're seeing? Or, send me via begim@microsoft.com
-
Michael Dunkel 0 Reputation points
2024-05-07T21:24:34.6166667+00:00 Thank you Ben, I have sent you an email with more details.
-
ajkuma 22,841 Reputation points Microsoft Employee
2024-05-08T09:41:13.2133333+00:00 To update:
We are discussing on this offline.
Sign in to comment