question

PavloSofronov-1370 avatar image
0 Votes"
PavloSofronov-1370 asked ·

Create App Service Managed Certificates

Hi,
I'm trying to create a certificate for my naked domain but I get the next error:

Hostname not eligible for App Service Managed Certificates creation. Ensure that your domain second-language.net has an A record which is set to 20.50.2.18.

I follow the instruction here https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate#create-a-free-managed-certificate-preview
and it works perfectly for the not naked domain for instance www.second-language.net and others

I have the next lines in my dns records
; A Records
@ IN A 20.50.2.18
; Others
@ IN CAA 0 issue "digicert.com"

also, other CNAME records were read from the Azure side successfully so my record does too. (cause I have the ability did certificate for CNAME)


Maybe it could help.

Also, I've noticed, in the Chrome console, request, which probably checks the elegibility, with answer

aRecords: ["193.47.99.5"]
0: "193.47.99.5"
customDomainVerificationTest: "Passed"
hasConflictAcrossSubscription: false
hasConflictOnScaleUnit: false
isHostnameAlreadyVerified: true

This answer contains a record with the api 193.47.99.5 which API of my hoster who host my dns records but my records in dns references to API 20.50.2.18

azure-webapps-ssl-certificatesazure-webapps-custom-domains
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PavloSofronov-1370 avatar image
0 Votes"
PavloSofronov-1370 answered ·

Answer deep inside comment so I extract it to the top.

blog: https://azure.github.io/AppService/2021/03/02/asmc-apex-domain.html

Just to confirm, are you still experiencing this issue?
-DigWeb is showing that second-language.net has that A record set now.

-If the issue persist, kindly create the cert using the script from the blog?

Please make sure that the A record of the domain should map properly to the IP address of the web app.

Thanks for your feedback and follow-up on this! it's much appreciated.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered ·

@PavloSofronov-1370 , Thanks for the good detailed question!

As of today, the App Service Managed Certificate only supports **non-naked domain*. We have a Uservoice feedback on this, you may wish to upvote on this.

Which means, you can protect www domain https://www.second-language.net, but neither https://second-language.net (naked domain) and nor https://test.second-language.net (wildcard domain) at this time. For your case, you may want to leverage App Service Certificate instead.

Thanks for your feedback. Our product team is working on it, I’ll also relay this feedback internally.

Kindly see the difference between App Service Certificate and App Service Managed Certificate – each of these certificates can be used for different requirement:
https://microsoft.github.io/AzureTipsAndTricks/blog/tip259.html

75875-image.png



image.png (86.5 KiB)
· 6 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much for the answer

I follow the link with Uservoice feedback https://feedback.azure.com/forums/169385-web-apps/suggestions/38981932-add-naked-domain-support-to-app-service-managed-ce
On the last comment (March 5) I've found the next link https://azure.github.io/AppService/2021/03/02/asmc-apex-domain.html
According to this link, a naked domain should work in preview mode.

May you make some clarification about it?

Kind Regards
Pavlo

0 Votes 0 ·
ajkuma-MSFT avatar image ajkuma-MSFT PavloSofronov-1370 ·

Pavlo, Thanks for the follow-up and sharing additional details/feedback I'm checking on this internally and will get back to you shortly.
-I'll also share this feedback with our Uservoice - product team and request to update the status as necessary.

0 Votes 0 ·
ajkuma-MSFT avatar image ajkuma-MSFT PavloSofronov-1370 ·

@PavloSofronov-1370,
Following up on this, I confirm that the apex (naked/root) domain is now supported. Apologies on the delay for the feedback update and for any confusion with that.
-I have relayed this feedback to our product/Uservoice team and the Uservoice post will be updated soon.

Just to confirm, are you still experiencing this issue?
-DigWeb is showing that second-language.net has that A record set now.

-If the issue persist, kindly create the cert using the script from the blog?

Please make sure that the A record of the domain should map properly to the IP address of the web app.

Thanks for your feedback and follow-up on this! it's much appreciated.





0 Votes 0 ·

@PavloSofronov-1370, We worked/discussed with our App Service product team and the **Uservoice post** is updated now.

Thanks again for your feedback and follow-up on this. Apologies for the delayed update on the Uservoice post.
76585-image.png



To benefit the community find the right answers, please do mark the post which was helpful by clicking on ‘Accept Answer’ & ‘Up-Vote’.



0 Votes 0 ·
image.png (72.3 KiB)

Thank you very much for the answer

At this moment DigWeb is showing the right IP address for my A record

The issue persists from UI side, but
the script from the blog (https://azure.github.io/AppService/2021/03/02/asmc-apex-domain.html) works fine

Thank you very much for helping me.

Kind Regards
Pavlo


0 Votes 0 ·
Show more comments