question

ozbobwa avatar image
0 Votes"
ozbobwa asked ajkuma-MSFT commented

Will Bindings update upon certificate expiry?

When an App Service SSL certificate expires, and another Healthy certificate is already installed, why don't the Bindings automatically update to the new certificate for each Host name?

Query raised to Docs team to include guidance: https://github.com/MicrosoftDocs/azure-docs/issues/79733

on the Documentation https://docs.microsoft.com/en-gb/azure/app-service/configure-ssl-bindings

azure-webappsazure-webapps-ssl-certificates
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-domain-ssl-certificates#an-app-service-certificate-was-renewed-but-the-app-shows-the-old-certificate
does mention the 'app shows old certificate', and clicking 'SYNC' will update the hostname bindings if not done automatically. I don't have a SYNC button on my App Service. I manually uploaded the cert to the AppService rather than using an AppServiceCertificate and KeyVault. Maybe I should do that next time...

0 Votes 0 ·
SnehaAgrawal-MSFT avatar image
0 Votes"
SnehaAgrawal-MSFT answered ryanchill edited

Thanks for asking question! If I have understood right, you have purchased certificate from Azure Services,

123549-app-service-certificate-microsoft-azure.png

And have imported certificate to your Azure Key vault via certificate configuration.

If you have turn on automatic renewal of your certificate by selecting the certificate in the App Service Certificates page, then click Auto Renew Settings in the left navigation.

123488-democertificate-microsoft-azure.png


Select On and click Save.
Certificates can start automatically renewing 60 days before expiration if you have the automatic renewal turned on.
Renew App Service certificate automatically. Once the renew operation is complete, click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.

Additional information: As mentioned in this blog

Q. My SSL certificate is not being auto-renewed ?

Ans: All App Service certificates issued prior to March 31st 2017 will receive an email to re-verify their domain at the time of renewal even if the auto-renewal is enabled for your certificate.This is a result of change in GoDaddy policy. Please check your email and complete this one-time domain verification to continue to auto-renew the SSL certificate. Also , note that GoDaddy does require you to verify your domain once every three years and you will receive a email once every three years to verify your domain.


Hope this helps. Let us know if further query or issue remains.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"you have purchased certificate from Azure Services" - nope, that is an incorrect assumption.

I purchased a certificate from a 3rd party GeoTrust as the Azure Services did not support wildcard domains. I understand they do now and next time my cert comes up for renewal I will compare it for my '.accountants' domain.

I install the certificate before the old one expired.

I did not update the bindings to the new certificate.

When the old certificate expired, the bindings for the 2 host names *.{mysite}.com and {mysite}.com (example only), did not automatically get updated to the Healthy certificate, which I had (incorrectly) expected.

0 Votes 0 ·

Hi @ozbobwa, certificate renewal should take into consideration uploaded PFXs. Let's continue offline to see what may have happened with the bindings. Please respond to the private comment below.

1 Vote 1 ·
ozbobwa avatar image
1 Vote"
ozbobwa answered ajkuma-MSFT commented

Bindings will not automatically update for any hosts when the certificate has been manually loaded in to an App Service Private PFX Certificates.

Azure Key Vault and App Service Certificates support wildcard domains now, so that is an option for next certificate renewal.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ozbobwa, Based on your feedback. We have made an update to the Azure doc for additional clarity on this - Renew certificate binding.

Thanks for your feedback! Once, again we apologies for all the inconvenience with this issue.
Please be rest assured that we have also internally relayed the feedback to the product team.


1 Vote 1 ·

We apologize for the inconvenience with this issue! We have reached out to product group and content author on updating this document to make this clearer. Will keep you posted here. Thanks.

0 Votes 0 ·