Azure App Service and Functions team Blog

The latest from the App Service and Functions engineering teams

Troubleshooting Tools for App Service Certificate

This blog post describes the various tools available to you to debug any issues with App Service Certificates  resources that you may be using with Web App or other Azure Services.  SSL is a critical part of your application and when configuring the certificate or renewing the certificate there can be a few issues you might run into . These tools listed below can help provide you information to self-debug the issue in most cases.

    1. Verify Status of your Certificate : Check if the Status of your certificate is ready for use. Sometimes the certificate might have Domain verification step pending and this status tile can help provide information on what steps you need to take 

There are many different states the certificate can be in :

    • Certificate Denied : Domain verification was not completed in  15 days causing the certificate to be in denied state. Certificate will not be billed. Purchase a new certificate with same domain to resolve this . Certificate cannot be restored.
    • Certificate Expired : Certificate has expired . If auto renew was enabled and the certificate still expired , then credit card payment may have failed for the subscription. In this case , you need purchase a new certificate with the desired domain to resolve the issue.Certificate cannot be restored.
    • Domain verification required : Domain verification is pending . Click on “Certificate Configuration” and complete STEP 2 for domain verification. If Domain verification option is not working , select Manual verification to complete this step.  If Domain verification is not completed in 15 days , certificate will be in denied state
    • Key Vault out of sync: Key vault can be out of sync if it was deleted , moved to another subscription or if the subscription was in suspended/canceled  state.  Choose your app service certificate in the Azure portal , click on Certificate Configuration and complete STEP 1 to assign a new Key Vault resource to app service certificate.  Note if you are bringing you external certificate via Key Vault using this blog post , you must reconfigured to use the correct secret with the app service certificate. App service certificate looks for secret name and does not support using “certificate object” in key vault. This is a limitation and we are working in fixing it
  1. Debug using Resource Explorer : You can look at the certificate order state in resource explorer https://resources.azure.com . Select your subscription -> Providers -> Microsoft.CertificateRegistration->Certificateorders .  This lists all the certificate orders within the subscription.
    • Search for a given  certificate and look at the  “provisioingstate” property . If Succeeded , it will be ready to use state. If not , resolve the issues based on the states mentioned earlier in this post. 
  2. Debug using Timeline : View the list of historical activities or operations that have occurred on App Service Certificate resource using the Timeline feature to help debug the issue 
  3. Sync a Certificate : The Web App service runs a background job that periodically (once a day ) that syncs all App Service certificate. Hence when you rotate or update a certificate, sometimes the application is still retrieving the old certificate and not the newly updated certificate.  This  is because the job has not run to sync the certificate resource.   To force a sync of the certificate , you can click on Rekey and Sync setting and then click on Sync button .
  4. Refer to FAQs   documentation  : Get access to appropriate documentation to App Service certificates to help resolve the issue with Configuration , Rekey and Sync , Renewal etc  .

 

If the above tools dont help you resolve the certificate related issues , then please contact Microsoft Azure Support.