Cannot add a SNI SSL certificate to a custom domain for linux app service, while it did work for other custom domains

Question

Cannot add a SNI SSL certificate to a custom domain for linux app service, while it did work for other custom domains

Rutger Schurgers 0

Adding a binding for my domain www.strixit.com via the Azure Portal's App Service's Custom domains tab keeps failing. Validation prior to trying to assign the binding works fine. I have been able to add a certificate to www.strixit.nl in the same way just fine. Can the problem be caused by me having had a custom certificate for this domain before?

I'm having the same problem with the apex domains. I can't assign add a binding to strixit.com, while it worked fine for strixit.nl. Here too validation before assigning the binding works fine.

Saraswathi Devadula 16,015 Reputation points Microsoft External Staff Moderator

2026-05-03T09:42:38.5533333+00:00
Hey Rutger, it sounds like you’ve got the DNS validation in place for [www.strixit.com] (and the apex) but the actual SSL binding step is failing—while your .nl domain works just fine. In many cases like this the issue isn’t DNS but either:

• A stale domain-to-app mapping somewhere else • A conflicting or orphaned certificate in your App Service webspace • A certificate that doesn’t meet Azure’s requirements

Here’s a checklist to work through:

Verify “domain in use” – In the Azure Portal or via Azure CLI, search across your subscriptions for any other App Service (Windows or Linux) that still has [www.strixit.com] or strixit.com bound. – If you find it, remove that binding and then retry. – If it’s orphaned in a deleted resource or another subscription you no longer control, you’ll need to raise an Azure Support ticket to have it manually released.

Confirm certificate health • If you’re using a free App Service Managed Certificate (ASMC): – Make sure the custom domain is fully mapped first (green “Validated” status under Custom domains). – Ensure your app is publicly reachable (no private endpoints or IP restrictions) so DigiCert’s HTTP-token check can succeed. • If you uploaded your own PFX: – Check it’s password-protected and in PKCS#12 (PFX) format with a private key. – Ensure it’s encrypted with Triple-DES (not AES-256). – Include the full chain (intermediates + root). – After uploading in TLS/SSL Settings → Private Key Certificates, refresh the blade and confirm it appears.

Look for IP vs SNI conflicts – On Basic+ plans you can use SNI (recommended) and IP-based SSL. If you mix IP-bindings across apps with the same certificate you can run into conflicts. Prefer SNI if possible.

Try re-adding the binding – Once you’ve cleaned up old mappings and confirmed the certificate, go back to Custom domains → Add binding. – Pick SNI SSL, select the correct cert, and save.

If you still hit an error, could you share a screenshot or the exact message? Also let me know:

Are you using the free managed certificate or a custom PFX?

What App Service Plan (tier) is your Linux app on?

Did you previously upload a PFX for this exact domain (and is it still listed under Private Key Certificates)?

Does the error mention a “conflict” or “VIP” or “already in use”?

With those details we can drill in further. Hope this gets you unstuck!

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli
https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-custom-domain-issues-azure-app-service
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=root%2Cazurecli#create-the-dns-records

3 answers

Your answer

Answer 1

TP 155.8K Volunteer Moderator

Hi Rutger,

I assume you want to add these .com custom domains to same web app you use for .nl. Please correct me if my assumption is wrong.

1. Please create below DNS records in your provider's portal for strixit.com domain:

Record type	Host	Value	TTL
CAA	@	0 issue "digicert.com"	600
TXT	asuid	B75C0F28E6472764DF2C93D35BE9258C0EF76922F4A708B602DB36284181D88C	600
TXT	asuid.www	B75C0F28E6472764DF2C93D35BE9258C0EF76922F4A708B602DB36284181D88C	600
A	@	20.105.216.13	600
CNAME	www	applicationserver-personalwebsites-aygtebdwg7dnfwhs.westeurope-01.azurewebsites.net	600

To verify CAA record is correct, you may use dig command below in Azure Cloud Shell:

dig strixit.com caa

In output you should have answer section similar to below:

;; ANSWER SECTION:
strixit.com.            600    IN      CAA     0 issue "digicert.com"

NOTE: digicert.com should be in quotes as shown above. With some DNS providers you need to enter the quotes in their portal while others you do not.

2. After successfully creating all DNS records above, please try to add .com custom domains (remove first if needed), create App Service Managed Certificates, and bindings. Once everything is working properly you can edit the DNS records and make TTLs a higher value. I have 600 to make troubleshooting quicker.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Rutger Schurgers 0 Reputation points

2026-05-04T19:06:19.2266667+00:00

Dear TP,

I did as you suggested, added the CAA record and ran the dig command in the Azure Cloud Shell. I got the output you said I should have. I removed the custom domain and tried re-adding it with a certificate again twice. No luck though. I still get only errors on the certificate, while adding the domain works:
TP 155.8K Reputation points Volunteer Moderator

2026-05-04T21:20:51.1266667+00:00

Hi Rutger, thank you for the update.

I checked and your DNS entries look correct for strixit.com, but for www.strixit.com I don't see CNAME (or A record) pointing to your web app. Not having this CNAME shouldn't stop strixit.com from working; I just wanted to point out it was missing since it would affect www.

For testing, can you try performing the steps individually? What I mean is, first remove custom domain strixit.com from your web app, and if you have any certificates (whether BYO or managed) for it delete those. Next add the custom domain, choosing All other domain providers and Add certificate later. In this way you are just adding the domain without a certificate.

In configuration, uncheck HTTPS only, save, then in your local browser enter http://strixit.com . Note I'm specifically asking you to use http:// and not https:// as normal. You have to manually enter it with http:// since modern browsers will automatically attempt https if you don't specify http. The idea is to show your site in insecure mode and in the process verify that the app service frontends are properly responding to strixit.com

Once above test is complete, please navigate to Settings -- Certificates blade. On Managed certificates tab, click Add certificate, select your strixit.com custom domain, create a new friendly name different than you have ever used before instead of using default, select A record, click Validate, then click Add.

Periodically click Refresh button and wait for certificate to be issued showing green check mark and No action needed.

Assuming certificate issues correctly, navigate to Settings -- Custom domains, click Add binding next to strixit.com, select certificate, select SNI, click Add

After above completes please test that strixit.com is working with https:// and no certificate warnings/errors. Double-check by examining certificate details in your browser to see that cert was just issued.

If it does repeat the process with your www, only make sure you have CNAME DNS record created before you start the steps.

Performing the steps individually shouldn't be necessary, however, in some cases I've seen it work which is why I mention it. Even if it doesn't work it may be helpful to see at which point the process breaks down.

Please reply back with your results and/or any questions if something I've written is unclear.

Thanks.
TP 155.8K Reputation points Volunteer Moderator

2026-05-05T22:14:16.16+00:00

@Rutger Schurgers It appears you have DNSSEC issue with strixit.com that is preventing DNS queries from resolving properly for substantial portion of global DNS servers (those that are set to fail requests if DNSSEC isn't correct).

For example, if I query www.strixit.com against 8.8.8.8 or 1.1.1.1 servers I get SERVFAIL response, where if I perform same test using your .nl it succeeds.

Take a look at results for your .com:

https://dnschecker.org/#CNAME/www.strixit.com (click Search button on the page)

And compare to results for your .nl

https://dnschecker.org/#CNAME/www.strixit.nl (click Search button on the page)

CRITICAL: Due to the validation checks that are performed before a certificate is issued the above DNS problem will cause the process to fail.

You may use link below to help with DNSSEC debugging. Click the more(+) link at the top of the page several times to see additional detail:

https://dnssec-debugger.verisignlabs.com/www.strixit.com (click into domain box and press Enter)

One option would be to remove DNSSEC from strixit.com for now. After it is removed test using dnschecker to see if you are getting all green checks. Once you have all green checks, repeat the process of adding custom domain and managed certificate to your web app.

Answer 2

Hi Saraswathi and Kagiyama,

Thanks for your responses. If I remember correctly, I used to have the www.strixit.com and strixit.com domains as custom domains with a Microsoft classic CDN. I never brought my own certificates. I don't have that resource anymore.The domains are currently not in use in any of my app services.I'm running a basic plan app service. The validation works fine and the error messages don't mention any problems:

try-add-custom-domain

Screenshot from 2026-05-03 17-14-28

I've also tried removing the custom domain and adding it again. That doesn't change anything.

I hope you can offer additional help!

Regards,

Rutger

Answer 3

kagiyama yutaka 1,990

I think the bind fails just because Azure’s old SNI‑lock for strixit.com is still latched, so remove → wait → add + bind, then recreate TLS/SSL once.

0 comments

Share via

Cannot add a SNI SSL certificate to a custom domain for linux app service, while it did work for other custom domains

3 answers

Your answer