question

SergeyPoltavtsev-0355 avatar image
0 Votes"
SergeyPoltavtsev-0355 asked Grmacjon-MSFT commented

Error creating Azure app service managed certificate for a subdomain

The issue is similar to the issue described in the this question but the mitigation steps did not help.

  • In the Azure portal I have tried to create an app managed certificate for my-react-app.mydomain-qa.com domain and got the following error:
    Properties.CanonicalName is invalid. Canonical name my-react-app.mydomain-qa.com​ is not a subdomain. This validation method only supports subdomains.

It states that the name is not a subdomain which is wrong. I have the following DNS records:
CAA @ digicert.com 0 issue
CNAME my-react-app my-react-app.azurewebsites.net

  • I have also tried to use the script which gave me the following error
    Properties.CanonicalName is invalid. Not found A record directly pointing to outbound ip address of website my-app-service-name. Current A record record of the hostname is empty.

Which tells me that the domain is not an apex domain which is correct. I could not find any documentation about the domainValidationMethod parameter in order to make it treat the name as subdomain.




azure-webapps-ssl-certificates
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Grmacjon-MSFT avatar image
0 Votes"
Grmacjon-MSFT answered Grmacjon-MSFT commented

Hi @SergeyPoltavtsev-0355,

We apologize for the inconvenience this issue may have caused. Please make sure that the A record of the domain is map properly to the IP address of the web app. Also, make sure your web app is accessible from the public network and does not have any IP restrictions set up. You cannot validate your certificate if your web app is not accessible from the public network. Adding IP restrictions after creating a certificate will cause renewal to fail.

Hope that helps. Please let us know if the issue persists

-Grace

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Grmacjon-MSFT

I did clean up: removed custom domain, removed the CNAME and have recreated everything and the scenario worked

0 Votes 0 ·
Grmacjon-MSFT avatar image Grmacjon-MSFT SergeyPoltavtsev-0355 ·

Hi @SergeyPoltavtsev-0355,

Thanks for the update! Glad its now working for you

0 Votes 0 ·
SergeyPoltavtsev-0355 avatar image
0 Votes"
SergeyPoltavtsev-0355 answered

Hi @Grmacjon-MSFT,

I though for a subdomain like my-react-app.mydomain-qa.com I need to use a CNAME according to this documentation which references this one which tells the following:
Map a subdomain (for example, www.contoso.com) by using a CNAME record.
Map a root domain (for example, contoso.com) by using an A record.

There are no ip restrictions and the web app is available to the public network.

A name is used for Apex domains and ​my-react-app.mydomain-qa.com is not an apex domain. However, I tried to do move it to an A record but it did not help.

DNS records:
A my-react-app <ip address>
CAA my-react-app digicert.com 0 issue

Error message:
Status Message: Properties.CanonicalName is invalid. Certificate creation failed unexpectedly for canonical name
my-react-app.mydomain-qa.com​ (Code: BadRequest)
- Properties.CanonicalName is invalid. Certificate creation failed unexpectedly for canonical name
my-react-app.mydomain-qa.com (Code:)
- (Code:BadRequest)
- (Code:)
CorrelationId: a92c095a-0322-4c36-92ac-6a6b08531d55





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.