Pending Issuance - Azure SSL App Service Certificate - azure

I have a Azure Web App that has a SSL Certificate. This certificate is set to auto-renew.
However it has stopped working. When I log on to the Azure portal, it says "perform required domain verification" and the status of the Certificate says "Pending Issuance". The expiry date is yesterday, so I guess it has expired.
But....
Why didn't it auto-renew?
Why is it telling me to verify the domain again? (I did this when I bought it 2 years ago)
I looked at the steps in the portal to verify the domain by updating the txt record in my DNS.
Done that.
It's been like an hour and it still doesn't work.
Do I need to just wait?
Can anyone explain whats going on here?

Glad you got it working.Just to highlight on renewal of certificate.
As mentioned in this doc "Beginning September 23 2021, App Service certificates require domain verification during renew or rekey if you haven't verified domain in the last 395 days. The new certificate order remains in "pending issuance" during renew or rekey until you complete the domain verification.
Unlike App Service Managed Certificate, domain re-verification for App Service certificates is not automated, and failure to verify domain ownership will result in failed renewals. Refer to verify domain ownership for more information on how to verify your App Service certificate."
If you are going to renew/rekey your certificate, and it's been > 395 days since you last verified domain ownership, you would be required do verify domain ownership again in order to have the new certificate be issued to you. If it's been < 395 days, your certificate will be automatically issued again without additional action needed from you. Similar discussion here.

In the end what I did was delete the current Certficate and create a new one. - That got the site back up and running without waiting around.

Related

App Service Certificate Denied but Domain verification passed?

Based on the documentation I've read, the "Denied" status should only happen if the domain fails to verify.
But clearly the verification passed so I'm not sure what else to do.
Attempting to follow the sub-steps under the Assign step just leads to errors related to
the cert being in the "Denied" state still.
This happens when Domain verification for the certificate is not completed in 45 days causing the certificate to be in denied state. The Certificate will not be billed.
Suggestion is to delete the certificate and request a new certificate.
Also note that: For a Standard certificate, the certificate provider gives you a certificate for the requested top-level domain and its www subdomain (for example, contoso.com and www.contoso.com). However, beginning on December 1, 2021, a restriction is introduced on the App Service and the Manual verification methods. Both of them use HTML page verification to verify domain ownership. With this method, the certificate provider is no longer allowed to include the www subdomain when issuing, rekeying, or renewing a certificate.
The Domain and Mail verification methods continue to include the www subdomain with the requested top-level domain in the certificate.
see: FAQ SSL certificates for Web Apps and App Service Certificates
Check this official document: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal#import-an-app-service-certificate
In this case, the issue was not domain verification as stated in the other answer here and in the documentation, but was a misconfigured CAA record on the DNS.
For wildcard certs you need to have an
0 issuewild godaddy.com
record on the root domain - not on a star (*) domain.

Problem with SSL WIldcard Certificate on Azure App Service

Firstly I had working custom subdomain for my appservice.
Then I bought SSL wildcard Certificate and then generated pfx file with password. Next I uploaded certificate using Upload Certificate under Private Key Certificates. Certificate has Health Status = Healthy.
Finally, under binding tab I added TLS/SSL binging for my custom domain, choosen this certificate and its type = SNI SSL. Everything seems to be fine, undet custom domain there is SSL State = Secure and SSL Binding = SNI SSL.
When I go to my website - there is no information about any certificates.
I also tried the same with Create App Service Managed Certificate - the same effect, status Healthy, but certificate does not appear on the browser.
#mateuszwdowiak It sounds like you successfully added the SSL binding.
There are two main issues that I can think of that might have proceed the unexpected results that you encountered. Firstly, it can take some time for the SSL certificates to propagate out across the web. From my experience, I've seen it take up to 3 hours. Just because the Azure portal says it's binded, does not mean it will be getting served up just yet.
Secondly, I've seen browser cache also come into play.
It's been a few days but I wanted to see if you resolved this issue. If not, can you please try re-binding your wild card cert, wait up to 3 hours, and then using a fresh browsing session, attempt to browse your site. This should resolve the matter. If not, please reply back so we can assist you further.

Azure Front Door SSL Certificate Update

I have setup a Azure Front Door on top of my Function APIs. I have setup a custom domain and SSL certificate for the same. The certificate was bought from Azure and was set to auto renew. After a year , the certificate has got expired in the front door. The app service certificate was auto-renewed but the Front door did not get the update. I had to manually go to the site to update the certificate with the new secret from the key vault. Why is this happening? Shouldn't the certificate be updated automatically. Please advice.
Please refer to the below link, which says:
Certificate will auto renew within 90 days. But in case if it does not renews then even with less than 60/ 30 days, then need to file a ticket to the support team
https://learn.microsoft.com/en-us/answers/questions/75126/azure-front-door-automatic-ssl-certificate-renewal.html

SSL Certificate Validation Azure

I registered my domain on Azure and purchased a certificate through Azure.
I successfully stored the certificate in a vault.
I cannot get past the verification It is supposed to verify automatically since both the domain registration and the SSL purchase were done through Azure.
I tried getting it to send me an verification email, but that errored out.
This may cause by Azure could not identify your domain owner information. I will suggest that you could partially disclose your domain owner information so Azure could find the domain owner and verify this domain for you. You also could select the manual domain verification method.
Additionally, If you don’t see your domain validated within an hour, you could open a support ticket. Feel free to let me know if you still have a question.

Does renewing SSL certificate require re-issuing the cert?

I have an SSL certificate that I am using to secure port 443 (HTTPS) on my nginx server running on Ubuntu for about 10 months now.
When I bought the cert, I got it for one year, so I have about 2 more months with this certificate.
My question is: "When I renew this cert, Will I just need to pay for renewal? or will I have to re-issue the cert with a new CSR, and have a potential downtime while installing?
I need to plan for any downtime from now.
Thanks in advance for your answers.
It's not possible to extend the expiration of an existing certificate once issued. The only way is to issue a new certificate.
Most certificate authorities offers a "renewal" concept, which provides some advantages compared to a new purchase. For example, you can renew in advance to the certificate expiration, and they will issue the new certificate from the expiration of the previous one, and not from the day the new one is issued.
The re-issue or re-key is a different thing. It generally means re-keying an existing certificate order with a different private key and/or CSR. It generally doesn't change the expiration of the certificate, hence it's not a renewal. Both renews and rekeys result in a new certificate (again, it's not possible to change an existing certificate once issued), but the rekey only alters the certificate information and not the expiration.
A renewal can be issued with the same original CSR and key, or with a completely new one. It's up to you.
As in all cases a new certificate is issued, you will have to replace the existing one. Replacing a certificate is generally a no-downtime task. You simply upload the new one, change the server settings and reload them (or restart the server).
Most webservers including Nginx supports hot reloads, therefore you don't need to restart the server and wait for it to reboot.
If planned correctly, the renewal will be a no downtime task.
To get the new one you might or might not need to submit a new CSR, depending on the CA. But in any case you get a new certificate file and need to replace the existing certificate on your server with a new one. See also
https://www.digicert.com/ssl-certificate-renewal.htm
Renewal of SSL certificate keeps security on your website alive along with your verified identity. The lapse in renewal can cause a warning on your website and warns your customers to move away from your site.
It depends on the SSL provider that you should continue with old CSR or generate new CSR, but it is recommended to create a new one to get rid of misconfiguration. However, it is a myth that your server will face downtime in the renewal of SSL certificate.
Certificate renewal and re-issuance both are different terms. Certificate renewal happens after the expiry of a certificate, while certificate re-issuance in the case of lost of a private key, want to change the domain/organization name or add new SAN names.
Most certificate providers are sending renewal reminder email frequently before certificate expiry. So, It is advisable to renew your certificate earlier, you can take advantage of getting additional validity period from early renewals.
This article may help you to understand the certificate renewal process. https://www.ssl2buy.com/wiki/how-to-renew-ssl-certificate/
Shortly to answer, no renewing SSL Certificate does not require re-issuing the cert, simply because reissue and renewal are 2 different actions with SSL certificate.
As you explained your situation, you are left with 2 months with your existing certificate and after that it will expire, so a Renewal is required. A Reissue (Revoke & Replace) is quite different, in that you cancel your current, valid SSL/TLS Certificate due to any of the reason and request for a new one.
Reissue:
Reissue of Certificates is the process where certificate has to be regenerated with Certificate Authority if needed. For example, if you have lost your Private Key. For that CA views the details of your certificate from list of certificates they have and then reissue the Certificate.
Furthermore, the process is quite same like in similar way activation will take place, like pasting of CSR for same domain name, selecting & approving of email. Reissuing of certificate change its Certificate ID & a new certificate record is also added into the account.
Renewal:
On the other hand renewal of certificate may seems pretty much same as purchasing new certificate, but it’s different. Renewal functionality is fully integrated within the module. If the settings of "Payment Type" is set to "Recurring" while creating a product, invoices for renewals will be generated automatically. Once paid, renewal of SSL certificates will be created automatically as well. Though one thing to note is that, after the renewal of SSL still activation is required through CSR.
Now one important thing is that, if you renew it before actual expiry date, like in your situation before 2 months, your new certificate will have expiration date one (or several, if you choose to be more than one year duration) year from the expiration date of the initial SSL certificate, so you will not lose any time on it.

Resources