question

bayo-3707 avatar image
0 Votes"
bayo-3707 asked SnehaAgrawal-MSFT commented

Azure web app still serving old certificate

I uploaded a new certificate to my web app and added the necessary bindings.

But when I visit my website, it is showing certificate error because it is still serving *.azurewebsites.net certificate.

I added two subdomains, www.wellahealth.com and wellahealth.com

www.wellahealth.com work perfectly, but wellahealth.com throws up SSL error.

The certificate contains both domains as seen in the screenshot104567-screenshot-206.png

I have many apps in the appservice plan and they all work well.

Any help will be really appreciated.

azure-webappsazure-webapps-ssl-certificates
screenshot-206.png (13.8 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Both URL's seem to work fine for me.

0 Votes 0 ·

Yes. I had to bind wellahealth.com as IP-based instead of the usual SNI that we use.

We are also getting report of similar issue on our Android app (built with Flutter). Is there a way to solve this once and for all? Our Android app uses a web api based on our domain.

Thanks

0 Votes 0 ·

If only IP based works for those scenarios, they probably do not support SNI.

0 Votes 0 ·

Just checking in to see if you have chance to see below response, let us know if further query.

0 Votes 0 ·

1 Answer

SnehaAgrawal-MSFT avatar image
0 Votes"
SnehaAgrawal-MSFT answered

Thanks for asking question! As I can see that, the site is configured with IP SSL and while browsing to the default site URL, potentially, certificate corresponding to IP SSL binding may be returned instead of the default Azure certificate.

This scenario manifests itself when there are non SNI enabled clients hitting the website. This will cause all SNI bindings, including the default binding of WellaHealth.azurewebsites.net to fail as these URL's will return the IP SSL certificate

In order to rectify this, please ensure not to use SNI bindings along with IP SSL bindings and always browse to the website over custom domain URL if you have non SNI clients. In case you need to use SNI bindings, you need to ensure that the certificate that is bound to the IP SSL binding is issued to protect all configured URLs for the site (including the SNI bindings) and configure the same certificate against all other bindings. This behavior is by design.

Check this official document link on: If you have an SNI SSL binding to <app-name>.azurewebsites.net, remap any CNAME mapping to point to sni.<app-name>.azurewebsites.net instead (add the sni prefix).

Also suggest you refer this detailed blog on Breaking change for SNI-SSL hostnames on Azure App Service might be helpful.

Hope this helps. If you have further query or issue remains please let us know.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.