You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/azure/app-service/troubleshoot-azure-app-service-certificates.md
+5-7Lines changed: 5 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -372,7 +372,7 @@ validity by one year.
372
372
> [!IMPORTANT]
373
373
> After the portal indicates that the certificate is renewed,
374
374
select **Sync** to push the new certificate to your app hostnames
375
-
immediately. (You're either prompted or use the **Rekey and Sync**
375
+
immediately. (You're either prompted to sync, or you can use the **Rekey and Sync**
376
376
blade's **Sync** option.) The new certificate automatically syncs within
377
377
24–48 hours. However, we recommend that you sync right away to avoid any downtime.
378
378
@@ -400,7 +400,7 @@ certificate.
400
400
401
401
You can also export the certificate, if it's necessary, for use in
402
402
other services. Use the **Export Certificate** option in the portal or
403
-
use az webapp config ssl export in Azure CLI. This action provides a Key
403
+
use `az webapp config ssl export` in Azure CLI. This action provides a Key
404
404
Vault secret link to download the Private Key Certificate (PFX)).
405
405
406
406
> [!NOTE]
@@ -551,7 +551,7 @@ Common scenarios include:
551
551
Authority (CA) wasn't included, some clients might reject the chain.
552
552
(App Service certificates from Azure include the full chain, so this problem usually occurs only on custom uploaded certificates).
553
553
554
-
-**Old clients and SNI:** Old clients, such as some older browsers and devices, don't connect if they don't support SNI and you configured only SNI SSL. Conversely, if you configured only an IP-based SSL for one domain and an SNI client comes in on another hostname, it might not get the expected certificate.
554
+
-**Old clients and SNI:** Old clients, like some older browsers and devices, don't connect if they don't support SNI and you configured only SNI SSL. Conversely, if you configured only an IP-based SSL for one domain and an SNI client arrives using another hostname, it might not get the expected certificate.
555
555
556
556
**Solutions**
557
557
@@ -573,7 +573,7 @@ Common scenarios include:
573
573
certificates on the same app service plan. If you need an IP-based SSL
574
574
(for legacy client support), use only one. Make sure that this certificate
575
575
covers all relevant domains. Or, consider using Azure Front Door or
576
-
Azure Application Gateway to handle multiple certificates with
576
+
Azure Application Gateway to handle multiple certificates that need
577
577
legacy support. Azure throws an error if you try to attach a
578
578
certificate to an IP that's already used by another certificate on the
579
579
same IP address. Therefore, make sure to resolve these conflicts by removing the
@@ -585,9 +585,7 @@ Common scenarios include:
585
585
certificate). All App Service certificates (purchased through Azure)
586
586
automatically include the necessary intermediate CAs.
587
587
588
-
-**Support old clients (if it's necessary):** If a subset of users or devices (usually legacy) can't connect, you might need an IP-based SSL
589
-
binding so that a certificate is served even without SNI. Notice that at least a Standard tier plan is required for an IP-based SSL
590
-
binding. Another approach is to use Azure Front Door or Azure Traffic Manager for a certificate because they can better handle older clients. Having both SNI and IP bindings on the same app can show the wrong certificate (see [Step 4: Check App Service certificate binding configuration](#step-4-check-app-service-certificate-binding-configuration)). Therefore, it's better to use one approach. If you have to mix bindings, make sure that the IP-based certificate is a superset of SNI bindings.
588
+
-**Support old clients (if it's necessary):** If a subset of users or devices (usually legacy) can't connect, you might need an IP-based SSL binding so that a certificate is served even without SNI. Notice that at least a Standard tier plan is required for an IP-based SSL binding. Another approach is to use Azure Front Door or Azure Traffic Manager for a certificate because they can better handle older clients. Having both SNI and IP bindings on the same app can show the wrong certificate (see [Step 4: Check App Service certificate binding configuration](#step-4-check-app-service-certificate-binding-configuration)). Therefore, it's better to use one approach. If you have to mix bindings, make sure that the IP-based certificate is a superset of SNI bindings.
591
589
592
590
**Note:** App Service internally uses SNI for most modern clients. On your site, you might see a different certificate, such as an Azure wildcard certificate or a certificate from another site. In this case, it's likely that the request didn't include SNI. This situation is rare. It might be caused an HTTP/2 negotiation issue or a very old client. Always test your site by using a modern browser and tools such as SSL Labs Server Test to verify the configuration.
0 commit comments