Certificate Issue with Custom Domain of Web App and Traffic Manager - azure

I have created one Web App on Azure and deployed that in two regions. now, using traffic manager I have used failover configuration. As I am having custom domain, I have used individual domains per web app.
So, each of my web app has 3 domains (I) ... azurewebsites.net (II) ... trafficmanager.net (III) .... mycustomdomain-region1.com
Same for second web app with 3 domains.
As I have correctly configured, my customdomain-region1.com is working without any SSL Certificate error.
But when I use TrafficManager.net based url it is giving me azurewebsites.net certificate error. Why it is check azurewebsites.net even though I am having custom domain and also the certificate is well configured in both the web app.
I have clicked "Continue to this website (not recommended). " and I got Error 404 - Web App not found page
Image attached here...
1) https://social.msdn.microsoft.com/Forums/getfile/685720
2) https://social.msdn.microsoft.com/Forums/getfile/685723

The SSL for *.azurewebsites.net is a shared SSL. If you want to use an SSL for your custom domain you will need to purchase and configure it separately. Info can be found here. https://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate/
Note, being you are using multiple web apps in different regions. I would recommend purchasing a wildcard ssl for your domain (*.domain name) and setting up region.websitename.com region2.websitename.com
Let me know if this helps!

Related

Restrict azure wildcard domain

We do have multitenant app hosted on azure and we considered using wild card domains as there is restriction of number of subdomains an app service can contain(as of now it is 500) and I was able to add wildcard domains and attach to out App service.
Now Our concern is , it allows any domains which ends with say '.oursize.com', at least the landing page of website.
Suppose, we asked customer A to use as.oursite.com, if they misspell and use ap.oursite.com, still they will be able to access this and try to login and end up having error.
So, Is there any way, we can add restriction for subdomain? at App service level to allow only some domains or at Traffic manager level or load balancer level?
If you have enabled TLS/SSL with your Azure Web App then maybe by using a certificate with Subject Alternate Name you can restrict a customer from entering a wrong domain name. You can go through this documentation for additional details.

Azure Custom URL with HTTPS

I have an web app on Azure with a myapp.azurewebsites.net address and have been following the guide here:
https://learn.microsoft.com/en-USazure/app-service-web/app-service-web-tutorial-custom-domain
Based on this, I have added the hostname in the app settings and it has been verified. I have also added the A Record and TXT record in my domain hosting provider based on the instructions (A Record points to the Azure website IP address) along with installing the SSL certificate for the external domain on the external host.
However when I type in the custom domain name, it goes to the page on the external host instead of the Azure website
What I would like to happen is: https://custom.domain will show the same as https://myapp.azurewebsites.net
Is this even possible ?
As far as I know, the certificate is used to tell the user(client browser) this website is secure.
Normally, there are two reasons why the browser window showed the non-secure page.
You're probably using a self-signed certificate.
You may have left out intermediate certificates when you export your certificate to the PFX file.
So if you want your custom domain doesn't show the non-secure page, you need buy a certificate from the azure or some other company.
After verifying domain ownership, then you could bind this certificate to your azure web app.
After this operation, it will work well.
More details about how to buy certificate with custom domain in the azure, you could refer to this article.
After buying the azure certificate, you could find the certificate as below image shows:
After binding the certificate well, it will not show the no-secure page in the browser.
Image 1:
Image 2:
I saw that creating the fully hosted domain also created A Records pointing to their IP address instead of Azure. Do I need to override these somehow, or how should it work? The tutorial did not show if "contoso.com" was https.
In my opinion, fully hosted domain is the hosting company creates its own web app server to hosting your web app and change the A records point to its own web app server IP address.
So you will find the custom domain show that company pages.
If you want to set the custom domain still points to the azure web app, you need change the A record's IP address as azure web app's address.
If you could find the hosting company has already create a certificate and verified your domain.
Then you could download it and upload it in the azure web app's portal.
After binding the SSL, it will work well.
If the fully hosted domain doesn't contain the certificate, you need buy the certificate by yourself again, upload it in the azure web app portal, change the A record points to your azure web app's IP address.
The problem it seems is that when using a fully hosted site, I can add an A Record but the hosting company keeps using their own A Record which I cannot change, it is part of their "uneditable settings."
Since I don't know how your hosting company's fully hosted site works.
Now, the most easily way is you connect to its support team to change the domain setting firstly, then you follow this article to buy a azure certificate and bind it.
For second option, did you mean to download the SSL from the hosting company and use it as 3rd party SSL in Azure? The A Record would still point to the hosting company right ? Also it seems I do not have an option to download the SSL either in PFX format, I can only view the certificate configuration (CSR, key, etc).
Yes, if you have permission to download the PFX format(if you don't know how to do it, please connect to your hosting company support), you could use it as third party SSL.

SSL certificate for a multitenant web app

I'm developing a multitenant web app hosted in azure. Tenants point their domain to my app and this is how I distinguish between them. So client1.com and client2.com both point to myapp.azurewebsites.net but depending on which url a user came from I serve different pages.
How can I add SSL certificate(s) to that website so nobody gets an invalid domain name error?
Thanks
When you put the website in the correct pricing tier you can add custom domains and ssl certificates yourself.
After you add your domains (client1.com, etc) and after you add your certificats (for client.com,etx) you can set an ssl binding.
That way it should work.
Here are some useful links: https://azure.microsoft.com/en-us/documentation/articles/web-sites-custom-domain-name/ (to add a custom domain to the website)
And here how to add the ssl binding (check step 3) https://azure.microsoft.com/en-us/documentation/articles/web-sites-purchase-ssl-web-site/

Securing authenticated traffic on Azure website without custom certificate

I'm building an ASP.NET MVC website to be hosted as a shared Azure website with custom domain name.
For the backend portion of the site (for specific users only) I need a login form and from that point on all traffic should be SSL encrypted. However I don't have a custom certificate and would like to avoid that extra cost.
I noticed that free websites already serve over HTTPS with a wildcard certificate for *.azurewbesites.net. Is that "free" azurewebsites.net-address also available for shared websites with custom domain(s) so I can simply redirect all "pages" that require authentication via the https://xyz.azurewebsites.net address? I'm aware that would be a cross-domain redirect which is visible to the end-user but that is not an issue since it's only a select group of users...
Yes, using the *.azurewebsites.net domain is your only option to have HTTPS without extra cost. The domain is always available, even if you use a custom domain, because it's used for a few additional services (like your repo, remote console, ...).

Windows Azure websites https

If I create an azure website let's assume: myname.azurewebsites.net, I can access this by using http (http://myname.azurewebsites.net) or https (https://myname.azurewebsites.net).
What does this mean? Did I understood it right that basically I don't need an SSL certificate as it has one by default?
I need to build a web service that needs to use SSL. Therefore do I need to buy an ssl certificate and custom domain (not important)? I don't need a custom domain and the default one works fine for me. So can I use my service over SSL provided by Azure: https://myname.azurewebsites.net (is a wildcard certificate)?
If you need to build a web service that needs to use SSL I highly suggest that you use your own domain and your own SSL certificate (buy one) if you are going in production with it. If you just test/play around - than you can safely use the default provided one.
And you are correct about default provided one - you get a (free) SSL for your azure web site as long as it is only bound to the default XXX.azurewebsites.net domain. However the certificate you get there is a wildcard certificate issued to *.azurewebsites.net. I would not use it if I have to go for a production service!
If you are to use SSL features of Azure Web Sites with your own domain and certificate, check out the Pricing and requirement pages. There are important things to note!

Resources