I have an web app on Azure with a myapp.azurewebsites.net address and have been following the guide here:
https://learn.microsoft.com/en-USazure/app-service-web/app-service-web-tutorial-custom-domain
Based on this, I have added the hostname in the app settings and it has been verified. I have also added the A Record and TXT record in my domain hosting provider based on the instructions (A Record points to the Azure website IP address) along with installing the SSL certificate for the external domain on the external host.
However when I type in the custom domain name, it goes to the page on the external host instead of the Azure website
What I would like to happen is: https://custom.domain will show the same as https://myapp.azurewebsites.net
Is this even possible ?
As far as I know, the certificate is used to tell the user(client browser) this website is secure.
Normally, there are two reasons why the browser window showed the non-secure page.
You're probably using a self-signed certificate.
You may have left out intermediate certificates when you export your certificate to the PFX file.
So if you want your custom domain doesn't show the non-secure page, you need buy a certificate from the azure or some other company.
After verifying domain ownership, then you could bind this certificate to your azure web app.
After this operation, it will work well.
More details about how to buy certificate with custom domain in the azure, you could refer to this article.
After buying the azure certificate, you could find the certificate as below image shows:
After binding the certificate well, it will not show the no-secure page in the browser.
Image 1:
Image 2:
I saw that creating the fully hosted domain also created A Records pointing to their IP address instead of Azure. Do I need to override these somehow, or how should it work? The tutorial did not show if "contoso.com" was https.
In my opinion, fully hosted domain is the hosting company creates its own web app server to hosting your web app and change the A records point to its own web app server IP address.
So you will find the custom domain show that company pages.
If you want to set the custom domain still points to the azure web app, you need change the A record's IP address as azure web app's address.
If you could find the hosting company has already create a certificate and verified your domain.
Then you could download it and upload it in the azure web app's portal.
After binding the SSL, it will work well.
If the fully hosted domain doesn't contain the certificate, you need buy the certificate by yourself again, upload it in the azure web app portal, change the A record points to your azure web app's IP address.
The problem it seems is that when using a fully hosted site, I can add an A Record but the hosting company keeps using their own A Record which I cannot change, it is part of their "uneditable settings."
Since I don't know how your hosting company's fully hosted site works.
Now, the most easily way is you connect to its support team to change the domain setting firstly, then you follow this article to buy a azure certificate and bind it.
For second option, did you mean to download the SSL from the hosting company and use it as 3rd party SSL in Azure? The A Record would still point to the hosting company right ? Also it seems I do not have an option to download the SSL either in PFX format, I can only view the certificate configuration (CSR, key, etc).
Yes, if you have permission to download the PFX format(if you don't know how to do it, please connect to your hosting company support), you could use it as third party SSL.
Related
I have created web apps in Azure which use the built-in certificate for *.azurewebsites.net. SSL works fine here.
I have recently created another web app and the certificate it is using is MYSITE.azurewebsites.net. This certificate has a completely different chain than the other one--the root of which is not trusted on my machine.
Can anyone explain why one site would use the wildcard and the other one wouldn't? Also, why would the certificate chain be different?
(The wildcard cert has a DigiCert root, whereas the site-specific domain (MYSITE.azurewebsites.net) has a Cisco umbrella Root CA)
I wrote Azure Support an got in contact with their Azure Web App Product Group. They gave me the following message
This Cisco Umbrella certificate is not coming from Azure. You doesn’t have any SSL binding nor uploaded any certificate into your subscription.
Most likely your client machine is in a network protected by Cisco Umbrella product. Kindly contact to Cisco Umbrella product support team.
Another option to resolve this issue is to bind a custom domain and add a SSL certificate (Free or App Service or any other certificate) so that you do not use .azurewebsites.net URL.
I am providing you relevant articles which will give you all the details about adding custom domain and binding SSL to your App Service.
You can go through them once and then feel free to reach out to me if you have any questions or concerns
https://learn.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain -> Buy a custom domain name for your Azure App Service.
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain -> Add custom domain to your Azure App Service.
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-> Bind SSL certificate
Hello I have created one app for Azure app service test.
Let us say myapp.azurewebsites.net
I thought this is big to recall so I own my domain. Say www.xyzdomain.com
I purchased one SSL from Azure portal and bind with www.xyzdomain.com
So https://www.xyzdomain.com working.
Now my client want to use this app with some custom domain.
I did redirection to www.xyzdomain.com
Now his domain is
Let us say www.hiscustomdomain.com
So how should I proceed with this as they need SSL to secure like https://www.hiscustomdomain.com
He is asking me to raise CSR. I am using app service from Azure portal. Their is no VM.
Sorry for typo.
Thanks
Regards
Kunal
You don't need access to the server to be able to generate a CSR. You can use any computer including your own workstation. See the link below for detailed instructions to create and complete a Certificate Signing Request.
https://www.digicert.com/csr-creation-ssl-installation-iis-10.htm
Once you complete the request, export the certificate from the computer you used to generate the CSR as .pfx format, upload and bind it to you Azure Web App.
https://learn.microsoft.com/en-us/azure/app-service-web/app-service-web-tutorial-custom-ssl
I have created one Web App on Azure and deployed that in two regions. now, using traffic manager I have used failover configuration. As I am having custom domain, I have used individual domains per web app.
So, each of my web app has 3 domains (I) ... azurewebsites.net (II) ... trafficmanager.net (III) .... mycustomdomain-region1.com
Same for second web app with 3 domains.
As I have correctly configured, my customdomain-region1.com is working without any SSL Certificate error.
But when I use TrafficManager.net based url it is giving me azurewebsites.net certificate error. Why it is check azurewebsites.net even though I am having custom domain and also the certificate is well configured in both the web app.
I have clicked "Continue to this website (not recommended). " and I got Error 404 - Web App not found page
Image attached here...
1) https://social.msdn.microsoft.com/Forums/getfile/685720
2) https://social.msdn.microsoft.com/Forums/getfile/685723
The SSL for *.azurewebsites.net is a shared SSL. If you want to use an SSL for your custom domain you will need to purchase and configure it separately. Info can be found here. https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
Note, being you are using multiple web apps in different regions. I would recommend purchasing a wildcard ssl for your domain (*.domain name) and setting up region.websitename.com region2.websitename.com
Let me know if this helps!
I am trying to consume the certificate uploaded in azure website(not webrole) in my web app using following config
<microsoft.identityModel>
<!-- Service Configuration -->
<service>
<serviceCertificate>
<certificateReference findValue="2696C50B72CB368AEB11DE3B23CD226252A1BFD" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/>
</serviceCertificate>
<certificateValidation certificateValidationMode="None"/>
</service>
Code works fine on local system. But I am recieving error when deployed to azure website.
ID1024 The configuration property value is not valid
ID1025 Cannot find a unique certificate that matches the criteria
I then tried to browse all the certificates in my azure website(using code). But the certificate list does not contain my uploaded certificate.
Certificate is uploaded and can be seen in azure portal.
Custom domain is mapped and the uploaded certficiate is used against the domain.
But somehow my web app is unable to find the certificate. I tried all possible combination of StoreName and StoreLocation but in vain.
I think there may be some confusion on what the certificates you upload via the Configure tab for Websites are used for. Currently the certificates loaded there are ONLY used for SSL.
When looking at the little help icon next to the certificates section on the configure tab the tooltip states the following:
"This section lets you manage SSL certificates that you can bind to your custom domain names. Binding an SSL certificate to your custom domain name will allow your end users to access your site over HTTPS."
Windows Azure Web Sites exist at a process level, meaning that they can be started up on one machine but move around as the processes go up and down. If you aren't familiar with this I'd suggest reading up on how the hosting model works for Web Sites. Here is an article that covers it: Windows Azure Web Sites - A New Hosting Model for Windows Azure (full disclosure: I wrote the article).
Loading the certificate here I do not believe adds the certificate to any of the stores on the machines your web site runs on. Windows Azure would need to ensure that the cert is always on the machine the site is deployed to and since this is only at a process level and can change frequently (unless you are using standard) it doesn't make sense. The SSL certs are handled differently and as far as I know aren't really deployed to each machine.
As far as I know in order for you to load a certificate and use it you'll either need to look at a web role where loaded certs from the portal ARE placed into the store on the VM or look to see if you can load the certificate manually in code and ship the cert as content on your site (which seems a little less secure to me). I could just be overlooking an option though.
I am in the process of trying to obtain an authenticode certificate for our online application. I have paid for the cert (through KSoftware a reseller of Comodo). They insist that they require the WHOIS information of the sites address to match the company name/address etc.
Here's the problem, the application is hosted in Azure. When I query the WHOIS record for our sites address it returns Microsoft details!
Perhaps someone has been through the process of getting an Azure application signed or knows of any good references I can take a look at.
When you create a service and deploy your application to Windows Azure it runs with DNS name i.e. yourservicename.cloudapp.net.
However if you have a domain name i.e. yourdomainname.com then you sure can set your domain as primary place for your users to come (or any request to come) and then all the requets will be redirected to Windows Azure site (*.cloudapp.net). To make it happen you need to setup CNAME setting in your DNS registrar to send all requests from your domain to Windows Azure application. #Smarx has explained the process here to follow.
Now when you use Authenticode certificate your authenticated request must be handled by your original domain, yourdommainname.com not with your servicename.cloudapp.net. When you have CNAME set for your site yourdomainname.com you will get correct WHOIS info as return by your domainname.com registrar which will be validated correctly by Authenticode certificate.