question

SeanMalloy-5510 avatar image
0 Votes"
SeanMalloy-5510 asked SilvaPaulaD-8141 commented

Why is deployment failure ssl/tls certificate bought through Azure happening?


I am trying to buy and apply a ssl/tls azure certificate in App Services for a client in their Azure portal. when we buy the certificate the deployment fails. attached is the deployment records. I have looked a multiple MS documentation. The client wants to change from a digicert certificate to one bought through Azure.Get this error on deployment page.[159778-certificate-deploy-failure.txt][1]

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"message":"The following validation errors were found"}]}

BadRequest


azure-webapps-ssl-certificates
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered

@SeanMalloy-5510, Adding info:

1.App Service Managed Certificate(ASMC): A private certificate that's free of charge and easy to use if you just need to secure your custom domain in App Service.
The free certificate is issued by DigiCert. For some domains, you must explicitly allow DigiCert as a certificate issuer by creating a CAA domain record with the value: 0 issue digicert.com.

  1. App Service Certificate (ASC): A private certificate that's managed by Azure. Takes care of the purchase process from GoDaddy. You can export this certificate to be used somewhere else.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered

@SeanMalloy-5510,

Firstly, please do not share any PII data on the public forum for your privacy and security.

I have checked internally logs and I see that DNS CAA record exists for domain(s) xxx.xxx.com which forbids the issuance of this certificate.
I have posted a private comment sharing more details, kindly check that.

You have mentioned that, "The client wants to change from a digicert certificate to one bought through Azure" - If you're looking to link ASC to your existing WebApp, see this doc.

You can bind ASC (App Service Certificate) to an Azure WebApp hosted on Azure App Service- See, this doc steps - Secure a custom DNS name with a TLS/SSL binding in Azure App Service
Or - if you’re looking to export ASC to be used for a Webapp hosted somewhere else, you can do that. Once the certificate has been created you can go to the Key Vault and download the cert as a PFX file, see this doc #import-an-app-service-certificate

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SeanMalloy-5510 avatar image
0 Votes"
SeanMalloy-5510 answered SilvaPaulaD-8141 commented

I got it figured out, yes I am a co-admin, I had setup the free app service certs for the two app services I was working on. I figures out what dns records I needed to delete to buy the standard certificates in the app services and then add them to a key vault. I then bonded them to the correct app services. Thank you for giving a direction to figure it out.

· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ajkuma-MSFT avatar image ajkuma-MSFT ·

@SeanMalloy-5510, Glad to know that the issue is resolved. Thanks for the update.
Much appreciate your great feedback. Happy Holidays!

To benefit the community find the right answers, please do mark the post which was helpful by clicking on ‘Accept Answer’ & ‘Up-Vote’.

0 Votes 0 ·
SilvaPaulaD-8141 avatar image SilvaPaulaD-8141 ·

Good morning, I have the same issue. What DNS records did you have to delete?

0 Votes 0 ·
SilvaPaulaD-8141 avatar image SilvaPaulaD-8141 ·

Good morning, I have the same issue. What DNS records did you have to delete?

0 Votes 0 ·
SeanMalloy-5510 avatar image SeanMalloy-5510 SilvaPaulaD-8141 ·

I will have to go back and look I did that months ago for a client

1 Vote 1 ·
SilvaPaulaD-8141 avatar image SilvaPaulaD-8141 SeanMalloy-5510 ·

I just cannot figure out why Azure does not let me create an App Service Certificate

0 Votes 0 ·
Show more comments