You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/azure/app-service/troubleshoot-azure-app-service-certificates.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.custom: sap:auto-renewal
12
12
---
13
13
# Troubleshoot Azure App Service certificates
14
14
15
-
Azure App Service certificates provide a convenient way to purchase, provision, and manage SSL/TLS certificates for Azure App Services. This article helps developers and administrators systematically diagnose and fix issues that affect App Service certificates. See the following sections:
15
+
Azure App Service certificates provide a convenient way to purchase, provision, and manage SSL/TLS certificates for Azure App Services. This article helps developers and admins systematically diagnose and fix issues that affect App Service certificates. See the following sections:
16
16
17
17
-[Step-by-step troubleshooting flow](#step-by-step-troubleshooting-flow): A sequence of checks and actions to resolve certificate problems, including portal and command-line steps.
18
18
@@ -106,7 +106,7 @@ Domain **ownership verification** is important because Azure doesn't issue or re
106
106
standard certificates. It doesn't work if **HTTPS Only** is enabled on
107
107
your site.
108
108
109
-
-**Domain Verification:** This method creates a .txt file if you host
109
+
-**Domain Verification:** This method creates a DNS .txt file if you host
110
110
your domain by using an App Service domain.
111
111
112
112
2. After you initiate verification, select **Refresh** until you see
@@ -201,7 +201,7 @@ job.
201
201
202
202
> [!NOTE]
203
203
> **Rekey** is used to change the certificate's key. **Sync**
204
-
updates bindings with the current certificate.
204
+
updates bindings by adding the current certificate.
205
205
206
206
**For Azure CLI**
207
207
@@ -335,8 +335,8 @@ error:
335
335
default Azure certificate might appear if you use the
336
336
*\*.azurewebsites.net* domain that has a custom domain requirement.
337
337
338
-
- Because DNS caching can direct you to an old IP, clear the DNS cache if you recently changed a record (in Windows, located at
339
-
*ipconfig/flushdns*).
338
+
- Because DNS caching can direct you to an old IP, clear the DNS cache if you recently changed a record (in Windows, run
339
+
`ipconfig/flushdns`).
340
340
341
341
- If a wrong certificate appears in the custom domain, it might
342
342
indicate the mixed SNI and IP bindings scenario that was previously discussed.
@@ -475,7 +475,7 @@ an Azure notification or email message that states that a certificate is expirin
475
475
verification. The renewal stayed in a *Pending issuance* state, and the old certificate eventually expired.
476
476
477
477
-**Key Vault permission issue:** Azure tried to renew but couldn't
478
-
update the Key Vault secret because the required access was missing.
478
+
update the Key Vault secret because the required access permissions were missing.
479
479
480
480
-**Payment or subscription issue (for purchase renewals):** Renewal can fail if both the following conditions are true:
481
481
- The certificate is a paid App Service certificate.
@@ -666,15 +666,15 @@ After you complete the setup, you find that your web app can't use the certifica
666
666
policies or delete and re-create the vault without reinitializing the
667
667
certificate.
668
668
669
-
-**User access versus system access:** If your Azure AD tenant has
669
+
-**User access versus system access:** If your Microsoft Entra ID tenant has
670
670
policies (such as Conditional Access) that interfere with the back-end
671
671
service principals' ability to access the Key Vault, this issue might block
672
672
the sync. Typically, the service principles operate outside of those
673
673
constraints. Make sure that Key Vault isn't using only private endpoints or a
674
674
firewall that can block Azure services. (Azure Key Vault should allow
675
675
trusted Azure services, if you're using that feature.)
676
676
677
-
-**App configuration (local permissions):** If your code tries to load the certificate from the store, and you see an *Access denied* message or something similar, you might have to adjust the app's identity or permissions to match how you export the certificate. This situation is rare. By default, the certificate that's bound to your web app is made available to the worker process. A managed identity isn't necessary if you want only to use an App Service certificate in the web app. This is true because this task is usually handled by the platform. However, if you explicitly upload a certificate that has a password, you might have to add an app setting to grant access (**WEBSITE_LOAD_CERTIFICATES** setting).
677
+
-**App configuration (local permissions):** If your code tries to load the certificate from the local computer certificate store, and you see an *Access denied* message or something similar, you might have to adjust the app's identity or permissions to match how you export the certificate. This situation is rare. By default, the certificate that's bound to your web app is made available to the worker process. A managed identity isn't necessary if you want only to use an App Service certificate in the web app. This is true because this task is usually handled by the platform. However, if you explicitly upload a certificate that has a password, you might have to add an app setting to grant access (**WEBSITE_LOAD_CERTIFICATES** setting).
0 commit comments