Update troubleshoot-custom-domain-issues-azure-app-service.md

Author: ryanberg-aquent

support/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-custom-domain-issues-azure-app-service.md

@@ -105,10 +105,10 @@ After the custom domain is added, perform a quick test to make sure that it's co
 - Open a browser, and navigate to *http://*. You should see your web app content. It might initially redirect to *https* (if SSL is enforced or after the certificate is added).
 
   - An *Azure 404 (Web App not found)* error message suggests that the custom domain isn't recognized by Azure. The likely cause is that the domain wasn't added to the app or the DNS is misconfigured.
-    Go back to [Step 2](#step-2-confirm-dns-record-configuration) and [Step 3](#step-3-add-and-validate-the-custom-domain-in-azure), and verify that the domain appears in the app's custom domains list and that DNS resolution is configured to the correct IP. For example, if you're using an A record without the required TXT record, a *404* error might occur because Azure didn't fully verify and map the domain. Make sure that the domain appears as **Active"** in Azure. If not, re-add it. Make sure to also verify that you didn't create conflicting records (CNAME versus A records) that can confuse resolution.
+    Go back to [Step 2](#step-2-verify-dns-record-configuration) and [Step 3](#step-3-add-and-verify-the-custom-domain-in-azure), and verify that the domain appears in the app's custom domains list and that DNS resolution is configured to the correct IP. For example, if you're using an A record without the required TXT record, a *404* error might occur because Azure didn't fully verify and map the domain. Make sure that the domain appears as **Active"** in Azure. If not, re-add it. Make sure to also verify that you didn't create conflicting records (CNAME versus A records) that can confuse resolution.
     For more information, see [Troubleshoot domain and TLS/SSL certificate problems in Azure App Service](/troubleshoot/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-domain-and-tls-ssl-certificates).
 
-  - A *DNS (domain not found)* error message indicates a DNS issue because the domain isn't resolving. Use `nslookup <yourdomain>` or an online DNS checker. If no A or CNAME record results are returned, the DNS records might not be available or propagated. Return to [Step 2](#step-2-confirm-dns-record-configuration) to fix the DNS settings (or wait longer if you recently added them).
+  - A *DNS (domain not found)* error message indicates a DNS issue because the domain isn't resolving. Use `nslookup <yourdomain>` or an online DNS checker. If no A or CNAME record results are returned, the DNS records might not be available or propagated. Return to [Step 2](#step-2-verify-dns-record-configuration) to fix the DNS settings (or wait longer if you recently added them).
 
   - A *403* or other permission error might indicate that access or IP restrictions are enabled on your app and are allowing only certain IPs or Azure Virtual Networks. If you set those restrictions intentionally, make sure that your current client IP is allowed. The Azure custom domain doesn't cause a *403* error. The error means that the app received the request but refused it because of a rule. Check the **Networking > Access Restriction** settings of the App Service instance. If your app is in an internal load balancer (ILB) App Service Environment (isolated) or behind a firewall, make sure that you're accessing it from a permitted network. External users can't reach an internal-only app, even if DNS is correctly configured. In these cases, consider using a VPN or Azure ExpressRoute that connects to that environment, or configure a public access point, if it's appropriate.
 
@@ -125,7 +125,7 @@ Serving your app over HTTPS is crucial. Azure App Service supports four methods
 
 **Option B: Import an App Service certificate** - To import an App Service certificate, [buy and configure an App Service certificate](/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#buy-and-configure-an-app-service-certificate), and then add it to the web app. For more information, see [Import an App Service certificate](/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#import-an-app-service-certificate).
 
-**Option C: Upload a certificate** - For more control (or if you need certificates such as wildcard or Extended Validation (EV) certificates), you can upload a PFX certificate with its password. Go to **TLS/SSL Settings > Private Key Certificates (.pfx)** in your App Service instance, and upload your certificate. Then, go to **Custom domains > Add binding**, and select the uploaded certificate plus either Server Name Indication (SNI) or IP-based SSL. Most scenarios use SNI SSL. This choice allows multiple certificates on one IP. IP-based SSL is needed only for older clients that don't support SNI. [IP SSL requires your app to be on Standard tier or greater (Basic tier only supportsSNI)](/azure/app-service/app-service-web-tutorial-custom-domain). For more information, see [Upload a private certificate](/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#upload-a-private-certificate).
+**Option C: Upload a certificate** - For more control (or if you need certificates such as wildcard or Extended Validation (EV) certificates), you can upload a PFX certificate by using its password. Go to **TLS/SSL Settings > Private Key Certificates (.pfx)** in your App Service instance, and upload your certificate. Then, go to **Custom domains > Add binding**, and select the uploaded certificate plus either Server Name Indication (SNI) or IP-based SSL. Most scenarios use SNI SSL. This choice allows multiple certificates on one IP. IP-based SSL is needed only for older clients that don't support SNI. [IP SSL requires your app to be on Standard tier or greater (Basic tier only supportsSNI)](/azure/app-service/app-service-web-tutorial-custom-domain). For more information, see [Upload a private certificate](/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#upload-a-private-certificate).
 
 **Option D: Import a certificate from Key Vault** - If you use Key Vault to manage your certificates, you can import a PKCS12 certificate into your App Service instance from Key Vault if you meet the [requirements](/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#private-certificate-requirements). For more information, see [Import a certificate from Key Vault](/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#import-a-certificate-from-key-vault).
 
@@ -136,7 +136,7 @@ After you complete the SSL setup, you might encounter a few known issues.
 
 **Issue**: Can't add SSL binding (conflict error). If you see an error message such as, *Failed to add SSL binding. Cannot set certificate for existing VIP because another VIP already uses that certificate.*, another App Service instance is using an IP-based SSL that has the same certificate. One IP address can't be bound to two different certificates across apps.
 
-**Solution**: Convert one of the apps to SNI SSL (if possible) or use the same certificate on both. If you're using an IP-based SSL out of necessity, you might have to remove the IP SSL binding from the other app before you can bind it here. Azure generally recommends SNI SSL unless you must have an IP-based solution. For more information, see \[How to add custom domain for my API web app\](/answers/questions/5618685/how-to-add-custom-domain-for-my-api-web-app).
+**Solution**: Convert one of the apps to SNI SSL (if possible) or use the same certificate on both. If you're using an IP-based SSL out of necessity, you might have to remove the IP SSL binding from the other app before you can bind it here. Azure generally recommends SNI SSL unless you must have an IP-based solution. For more information, see [How to add custom domain for my API web app](/answers/questions/5618685/how-to-add-custom-domain-for-my-api-web-app).
 
 **Issue**: The certificate uploaded successfully but isn't visible or can't be selected.
 
@@ -192,7 +192,7 @@ The DNS records must be publicly resolvable. Some DNS providers can take up to 4
 
 4. Select **Dig.**
 
-5. Check the value that's returned, and then match the value on the custom domains portal with **Custom Domain Verification ID**.
+5. Check the value that's returned, and then match the value on the custom domains portal with the **Custom Domain Verification ID** value.
 
 **Issue**: Can I add internal domains to App Service?
 
@@ -259,21 +259,21 @@ Similar to the free managed certificate, the presence of CAA records can prevent
 **Solution**: Make sure that [godaddy.com](https://godaddy.com/) is authorized to issue certificates for the domain. The App Service certificate is stored in Key Vault. Make sure that the key vault access policies include the secret permissions for *Microsoft.Azure.WebSites* (`GET`) and *Microsoft.Azure.CertificateRegistration* (`GET`,
 `SET`, `DELETE`).
 
-Additionally, domain ownership verification is required every 395 days for renewal or rekeying. We recommend that you use a DNS TXT record for this verification. The verification check is performed at the root of the domain to which the certificate is issued. The domain verification token value is generated when domain ownership has to be verified. To obtain this value, go to the Azure portal > your App Service certificate > **Certificate Configuration**, and then perform [Step 2](#step-2-confirm-dns-record-configuration). 
+Additionally, domain ownership verification is required every 395 days for renewal or rekeying. We recommend that you use a DNS TXT record for this verification. The verification check is performed at the root of the domain to which the certificate is issued. The domain verification token value is generated when domain ownership has to be verified. To obtain this value, go to the Azure portal > your App Service certificate > **Certificate Configuration**, and then perform [Step 2](#step-2-verify-dns-record-configuration). 
 
 **Note**: The determined value must be entered on the DNS server root domain for the TXT record.
 
 **Issue**: The custom domain doesn't resolve (DNS not found errors).
 
 When you visit the domain, a "Server not found" or similar DNS error message is returned. This error occurs if DNS records aren't configured or not propagated. Either the A or CNAME record is missing, or you're checking too soon.
 
-**Solution**: Create the required DNS records (A for root with TXT, or CNAME for subdomain), as described in [Step 3](#step-3-add-and-validate-the-custom-domain-in-azure) and wait for propagation. To verify that the records exist, use global DNS check tools. If these records do exist, make sure that you use the correct Azure domain as the target (for example, *yourapp.azurewebsites.net*). Also, make sure that the domain name is spelled correctly. Verify that you didn't create conflicting records (such as having both an A and CNAME record for the same name). After the DNS is correct, Azure validation and resolution can succeed. For more information, see [Troubleshoot domain and TLS/SSL certificate problems in Azure App Service](/troubleshoot/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-domain-and-tls-ssl-certificates).
+**Solution**: Create the required DNS records (A for root with TXT, or CNAME for subdomain), as described in [Step 3](#step-3-add-and-verify-the-custom-domain-in-azure) and wait for propagation. To verify that the records exist, use global DNS check tools. If these records do exist, make sure that you use the correct Azure domain as the target (for example, *yourapp.azurewebsites.net*). Also, make sure that the domain name is spelled correctly. Verify that you didn't create conflicting records (such as having both an A and CNAME record for the same name). After the DNS is correct, Azure validation and resolution can succeed. For more information, see [Troubleshoot domain and TLS/SSL certificate problems in Azure App Service](/troubleshoot/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-domain-and-tls-ssl-certificates).
 
 **Issue**: I'm seeing this error message: "Web app not found (HTTP 404 on custom domain)."
 
 DNS behaves as expected (the domain resolves). However, if you browse to *http://custom-domain*, you receive an "Azure 404" error message. This error indicates that the custom hostname isn't linked to the App Service configuration, and that Azure can't determine which app should answer that domain. The domain isn't successfully added to the app, or the DNS points to Azure but the app doesn't have that hostname in its bindings.
 
-**Solution**: Go to the Azure portal, and add the custom domain to your app if it's not already there ([Step 3](#step-3-add-and-validate-the-custom-domain-in-azure)). If it's listed but you still see a "404" error, you might have added an A record without the TXT record, or vice versa. Make sure that both required records exist. Also, make sure to clear your browser cache and DNS cache. For more information, see [Troubleshoot domain and TLS/SSL certificate problems in Azure App Service](/troubleshoot/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-domain-and-tls-ssl-certificates).
+**Solution**: Go to the Azure portal, and add the custom domain to your app if it's not already there ([Step 3](#step-3-add-and-verify-the-custom-domain-in-azure)). If it's listed but you still see a "404" error, you might have added an A record without the TXT record, or vice versa. Make sure that both required records exist. Also, make sure to clear your browser cache and DNS cache. For more information, see [Troubleshoot domain and TLS/SSL certificate problems in Azure App Service](/troubleshoot/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-domain-and-tls-ssl-certificates).
 
 **Issue**: I can't add a custom domain. The portal says "not authorized" or fails immediately.
 
@@ -290,7 +290,7 @@ then it's likely that your Azure account role doesn't permit this action. Only c
 Azure returns an error message such as, "The custom domain is already assigned to a different app," or it fails validation because of a reported duplication.
 This situation might occur if the domain was previously mapped to another app service or Azure service and that mapping wasn't removed. Azure prevents this kind of reuse to avoid domain takeover. For example, a colleague mapped the domain to a test app, you had it in another subscription but forgot to remove it, or (for a migrated DNS) the domain is lingering in an orphaned resource.
 
-**Solution**: Identify where the custom domain is used. Check other apps in your subscriptions first. If you find the domain, remove it from that app. If you can't find it (for example, it's in a subscription that you no longer have access to, or it's on a now-deleted app), you have to open an Azure support ticket to release the domain. You must provide proof of domain ownership (such as a screenshot of your domain registrar settings) so that Microsoft Support can manually clear it. Then, you can add it to your app successfully. For more information, see [Unable to Reuse My Custom Domain After Losing Access to Previous Azure Account](/answers/questions/2121811/unable-to-reuse-my-custom-domain-after-losing-acce).
+**Solution**: Identify where the custom domain is used. Check other apps in your subscriptions first. If you find the domain, remove it from that app. If you can't find it (for example, it's in a subscription that you no longer have access to, or it's on a now-deleted app), you have to open an Azure support ticket to release the domain. You must provide proof of domain ownership (like a screenshot of your domain registrar settings) so that Microsoft Support can manually release it. Then, you can add it to your app successfully. For more information, see [Unable to Reuse My Custom Domain After Losing Access to Previous Azure Account](/answers/questions/2121811/unable-to-reuse-my-custom-domain-after-losing-acce).
 
 **Issue**: SSL certificate issues.
 
@@ -324,7 +324,7 @@ You added the DNS records and can query them successfully, but Azure validation
 
 **Issue**: Too many hostnames or subdomain limit reached.
 
-Trying to add more custom hostnames to an app fails or you're limit-capped. A multi-tenant n App Service might limit the number of custom domains (hostnames) that you can assign. When you use Azure DNS zone integration, this limit is usually around 100 hostnames for external DNS or more (up to 500, having a hard platform limit of 500 per app).
+Trying to add more custom hostnames to an app fails or you're limit-capped. A multi-tenant App Service might limit the number of custom domains (hostnames) that you can assign. When you use Azure DNS zone integration, this limit is usually around 100 hostnames for external DNS or more (up to 500, having a hard platform limit of 500 per app).
 
 **Solution**: If you need a large number of subdomains, consider migrating your domain's DNS to Azure DNS. Azure DNS supports up to 500 hostnames on a single App Service. You might have to design a different solution (such as using wildcard certificates on a single wildcard binding or deploying another app). To free up slots, always remove any hostnames that you no longer use. In one tenant, the sum of custom hostnames should also not exceed certain thresholds (although 500 per app is usually the limit). For more information, see [Troubleshoot domain and TLS/SSL certificate problems in Azure App Service](/troubleshoot/azure/app-service/connection-issues-with-ssl-or-tls/troubleshoot-domain-and-tls-ssl-certificates).
 
@@ -334,3 +334,7 @@ After you set up the site, only certain networks can reach the site. For example
 domain might be intended for internal use only.
 
 **Solution**: Verify the IP where your custom domain is resolving. If it's a private address, then external users can't reach it by design. In such cases, either expose the site by using a public IP or proxy, or make sure that clients are within the network (for example, by using a VPN). If this situation isn't intentional, you might have configured a private endpoint. Consider removing the private endpoint for a purely public web app. If you expected internal-only access, and you see external exposure, make sure that you didn't use a public DNS for an internal app. Internal apps should use DNS entries that resolve internally only (for example, by using Azure Private DNS). Make sure that you match your DNS configuration to your network setup.
+
+[!INCLUDE [azure-help-support](~/includes/azure-help-support.md)]
+
+[!INCLUDE [Third-party contact disclaimer](~/includes/third-party-contact-disclaimer.md)]