Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Show
Troubleshoot domain and TLS/SSL certificate problems in Azure App Service
In this articleWhen you set up a domain or TLS/SSL certificate for your web apps in Azure App Service, you might encounter the following common problems. This article also includes the possible causes and solutions for these problems. At any point in this article, you can get more help by contacting Azure experts on the Microsoft Q & A and Stack Overflow forums. Alternatively, to file an Azure support incident, go to the Azure Support site, and select Get Support. Certificate problemsYou can't add a TLS/SSL certificate binding to an appSymptomWhen you add a TLS binding, you receive the following error message: "Failed to add SSL binding. Cannot set certificate for existing VIP because another VIP already uses that certificate." CauseThis problem might happen if you have multiple IP-based TLS/SSL bindings for the same IP address across multiple apps. For example, app A has an IP-based TLS/SSL binding with an old certificate. App B has an IP-based TLS/SSL binding with a new certificate for the same IP address. When you update the app TLS binding with the new certificate, the update fails with this error because the same IP address is used for another app. SolutionTo resolve this problem, try one of the following methods:
You can't delete a certificateSymptomWhen you try to delete a certificate, you receive the following error message: "Unable to delete the certificate because it is currently being used in a TLS/SSL binding. The TLS binding must be removed before you can delete the certificate." CauseThis problem might happen if another app uses the certificate. Solution
You can't purchase an App Service certificateSymptomIn the Azure portal, you can't purchase an Azure App Service certificate. Cause and solutionThis problem can happen for any of the following reasons:
An App Service certificate was renewed, but the app shows the old certificateSymptomThe App Service certificate was renewed, but the app that uses the App Service certificate is still using the old certificate. Also, you may receive a warning that the HTTPS protocol is required. Cause 1: Missing access policy permissions on the key vaultThe Key Vault used to store the App Service Certificate is missing access policy permissions on the key vault for Microsoft.Azure.Websites and Microsoft.Azure.CertificateRegistration. The service principals and their required permissions for Key Vault access are: Service Principal Secret Permissions Certificate Permissions Microsoft Azure App Service Get Get Microsoft Azure CertificateRegistration Get, List, Delete Get, List Solution 1: Modify the access policies for the key vaultTo modify the access policies for the key vault, follow these steps:
Cause 2: The app service has not yet synced with the new certificateThe App Service automatically syncs your certificate within 48 hours. When you rotate or update a certificate, sometimes the application is still retrieving the old certificate and not the newly updated certificate. The reason is that the job to sync the certificate resource hasn't run yet. To resolve this problem, sync the certificate manually, which automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps. Solution 2: Force a sync for the certificateTo force a sync for the certificate, follow these steps:
An App Service is showing the wrong certificateSymptomWhen browsing the App Service, it is presenting the wrong certificate CauseThis problem can manifest when both IP SSL and SNI based bindings have been configured for the App Service. When non SNI clients hit the IP SSL endpoint, the IP SSL certificate gets cached. Now even if the SNI enabled clients hit the site, they will be presented with the IP SSL certificate causing an invalid cert to be presented. SolutionPlease ensure not to use SNI bindings along with IP SSL bindings and always browse to the website over custom domain URL if you have non SNI clients. In case you need to use SNI bindings, you need to ensure that the certificate that is bound to the IP SSL binding is issued to protect all configured URLs for the site (including the SNI bindings) and configure the same certificate against all other bindings. This behavior is by design. Custom domain problemsA custom domain returns a 404 errorSymptomWhen you browse to the site by using the custom domain name, you receive the following error message: "Error 404 - Web app not found." Cause and solutionCause 1 Your configured custom domain is missing a "CNAME record" or an "A record". Solution for cause 1
Cause 2 The internet browser might still be caching the old IP address for your domain. Solution for Cause 2 Clear the browser. For Windows devices, you can run the command You can't add a subdomainSymptomYou can't add a new host name to an app to assign a subdomain. Solution
DNS can't be resolvedSymptomYou received the following error message: "The DNS record could not be located." CauseThis problem happens for one of the following reasons:
Solution
You need to restore a deleted domainSymptomYour domain is no longer visible in the Azure portal. CauseThe subscription owner might have accidentally deleted the domain. SolutionIf your domain was deleted fewer than seven days ago, the domain hasn't started the deletion process. In this case, you can buy the same domain again on the Azure portal under the same subscription. (Be sure to type the exact domain name in the search box.) You won't be charged again for this domain. If the domain was deleted more than seven days ago, contact for help with restoring the domain. Domain problemsYou purchased a TLS/SSL certificate for the wrong domainSymptomYou purchased an App Service certificate for the wrong domain. You can't update the certificate to use the correct domain. SolutionDelete that certificate, and then buy a new certificate. If the current certificate that uses the wrong domain is in the "Issued" state, you'll also be billed for that certificate. App Service certificates aren't refundable, but you can contact for other possible options. Domain verification is not workingSymptomThe App Service certificate requires domain verification before the certificate is ready to use. When you select Verify, the process fails. SolutionManually verify your domain by adding a TXT record:
As an alternative, you can use the HTML webpage method to manually verify your domain. This method allows the certificate authority to confirm the domain ownership of the domain for which the certificate is issued.
For example, if you're buying a standard certificate for azure.com with the domain verification token 1234abcd, a web request made to https://azure.com/1234abcd.html should return 1234abcd. Important A certificate purchase has only 15 days to complete the domain verification operation. After 15 days, the certificate authority denies the certificate, and you're not charged for the certificate. In this situation, delete this certificate and try again.> You can't purchase a domainSymptomYou can't buy an App Service domain in the Azure portal. Cause and solutionThis problem happens for one of the following reasons:
You can't add a host name to an appSymptomWhen you add a host name, the process fails to validate and verify the domain. CauseThis problem happens for one of the following reasons:
FAQDo I have to configure my custom domain for my website once I buy it? When you purchase a domain from the Azure portal, the App Service app is automatically configured to use that custom domain. You don’t have to take any further steps. For more information, watch Azure App Service Self Help: Add a Custom Domain Name on Channel9. Can I use a domain purchased in the Azure portal to point to an Azure virtual machine instead? Yes, you can point the domain to a virtual machine. For more information, see Use Azure DNS to provide custom domain settings for an Azure service. Is my domain hosted by GoDaddy or Azure DNS? App Service Domains use GoDaddy for domain registration and Azure DNS to host the domains. I enabled auto-renew but still received a renewal notice for my domain via email. What should I do? If you enabled auto-renew, you don't need to take any action. The renewal notice through email only informs you that the domain is close to expiration and if auto-renew isn't enabled, you have to manually renew. Will I be charged for Azure DNS hosting my domain? The initial cost of domain purchase applies to domain registration only. Along with the registration cost, Azure DNS incurs charges, based on your usage. For more information, see Azure DNS pricing. I purchased my domain earlier from the Azure portal and want to move from GoDaddy hosting to Azure DNS hosting. How can I do this? You're not required to migrate to Azure DNS hosting. If you want to migrate to Azure DNS, the domain management experience in the Azure portal provides information about the steps necessary to move to Azure DNS. If you bought the domain through App Service, migration from GoDaddy hosting to Azure DNS is a relatively seamless procedure. I would like to purchase my domain from App Service Domain but can I host my domain on GoDaddy instead of Azure DNS? Starting on July 24, 2017, Azure hosts App Service domains purchased from the Azure portal on Azure DNS. If you prefer to use a different hosting provider, you must go to their website to obtain a domain hosting solution. Do I have to pay for privacy protection for my domain? When you purchase a domain through the Azure portal, you can choose to add privacy at no extra cost. This benefit is included with purchasing your domain through Azure App Service. If I decide I no longer want my domain, can I get my money back? When you purchase a domain, you're not charged for five days. During this time, you can decide whether to keep the domain. If you choose to not keep the domain within this duration, you're not charged. However, domains that end with Can I use the domain in another Azure App Service app in my subscription? Yes, when you access the Custom domains and Certificates pages in the Azure portal, you see the domains that you purchased. You can configure your app to use any of those domains. Can I transfer a domain from one subscription to another subscription? Yes, you can move a domain to another subscription or resource group using the Move-AzResource PowerShell cmdlet. How can I manage my custom domain if I don’t currently have an Azure App Service app? You can manage your domain even if you don't have an App Service web app. You can use the domain for Azure services such as Virtual Machines, Azure Storage, and so on. If you plan to use the domain for App Service web apps, you must include a web app that's not on a free App Service plan so that you can bind the domain to your web app. Can I move a web app with a custom domain to another subscription or from App Service Environment v1 to V2? Yes, you can move your web app across subscriptions. Follow the guidance in How to move resources in Azure. Some limitations apply when you move a web app. For more information, see Limitations for moving App Service resources. After you move a web app, the host name bindings of the domains within the custom domains setting should stay the same. No extra steps are required to configure the host name bindings. What file formats are returned when I download my App Service Certificate from its Key Vault? When you select "Download as a certificate" for the App Service Certificate under its Key Vault/Secrets, the certificate file format will be .pfx. No password will be applied to the file. What file format can I use to upload a certificate to my App Service? The certificate file format must be a .pfx file with a password applied to the file. The certificate must also meet the certificate requirements mentioned . If you have obtained your certificate from a 3rd party CA and the file format is a .PEM/.KEY format, you can use a tool like openSSL to convert the file(s) to a .pfx file format. The private key must be included during the conversion as it is required in the .pfx file format. Also, if your certificate authority gives you multiple certificates in the certificate chain, you have to merge the certificates following the same order. For more information, please see . How do I generate a certificate signing request (CSR) for an App Service Certificate? For an App Service Certificate, you would purchase through the Azure portal or using a Powershell/CLI command. A CSR is not needed. However, Azure Key Vault supports storing digital certificates issued by any certificate authority (CA). It supports creating a certificate signing request (CSR) with a private/public key pair. The CSR can be signed by any CA (an internal enterprise CA or an external public CA). For more information, please see here. |