Why doesn't Stack Overflow use SSL

Troubleshoot domain and TLS / SSL certificates in Azure App Service

  • 13 minutes to read

This article lists common issues you might encounter when configuring a domain or a TLS / SSL certificate for your web apps in Azure App Service. It also describes the possible causes and solutions for these problems.

If, while reading this article, you find that you need further help, you can reach out to Azure experts through the MSDN forum or the Stack Overflow forum. Alternatively, you have the option to create an Azure support case. Go to the Azure support website and select the option Get support.

Problems with certificates

You cannot add a TLS / SSL certificate binding to an app


When you add a TLS binding, you get the following error message:

"Error adding SSL binding. The certificate for the existing VIP cannot be set because another VIP is already using this certificate. "

root cause

This problem can occur if you use multiple IP-based SSL bindings for the same IP address across apps. Example: App A has an IP-based SSL binding with an old certificate. App B uses an IP-based SSL binding with a new certificate for the same IP address. If you update the app's TLS binding with the new certificate, this error occurs because the same IP address is used for another app.


To resolve the problem, use one of the following methods:

  • Delete the IP-based SSL binding for the app using the old certificate.
  • Create a new IP-based SSL binding that uses the new certificate.

You cannot delete a certificate.


When you try to delete a certificate, you receive the following error message:

“The certificate cannot be deleted because it is currently being used in a TLS / SSL binding. The TLS binding must be removed before you can delete the certificate. "

root cause

This problem can occur if another app is using the certificate.


Remove the TLS binding for this certificate from the apps. Then try to delete the certificate. If you still cannot delete the certificate, clear your internet browser cache and reopen the Azure portal in a new browser window. Then try to delete the certificate.

You cannot purchase an App Service Certificate.


You cannot purchase an Azure App Service certificate through the Azure portal.

Cause and solution

This problem can occur for one of the following reasons:

  • The App Service plan is "Free" or "Shared". TLS is not supported in these tariffs.

    solution: Upgrade the app's App Service plan to the “Standard” tariff.

  • A valid credit card is not specified for the subscription.

    solution: Add a valid credit card to your subscription.

  • The subscription offer (e.g. Microsoft Student) does not support the purchase of an App Service Certificate.

    solution: Upgrade your subscription.

  • The subscription has reached the limit of purchases a subscription can allow.

    solution: For App Service certificates, there is a limit of ten certificate purchases for subscriptions of the “Usage-Based Payment” and “Enterprise Agreement” types. Other subscription types only allow three (3) purchases. Contact Azure support to increase this limit.

  • The App Service certificate has been flagged as suspicious of fraud. You received the following error message: “Your certificate has been flagged as fraudulent. The requirement is currently being checked. If the certificate is not usable within 24 hours, please contact Azure support. "

    solution: If the certificate is flagged as suspect and the problem has not been resolved after 24 hours, do the following:

    1. Sign in to the Azure portal.
    2. Switch to App Service Certificatesand select the certificate.
    3. Choose Certificate configuration > Step 2: review > Domain verification out. This step sends an email message to the Azure Certificate Provider asking them to fix the problem.

Problems with custom domains

A custom domain returns a 404 error.


When navigating to the website using the custom domain name, you receive the following error message:

"Error 404 - Web app not found."

Cause and solution

Cause 1

The custom domain that you configured is missing a CNAME or an A record.

Solution for cause 1

  • If you added an A record, make sure that a TXT record is also added. For more information, see Create the A Record.
  • If you don't need to use the root domain for your app, we recommend that you use a CNAME record instead of an A record.
  • Do not use a CNAME record and an A record for the same domain at the same time. This problem can conflict and prevent the domain from being resolved.

Cause 2

The old IP address for your domain may still be cached in the Internet browser.

Solution for cause 2

Clear the browser cache. For Windows devices, you can run the command. Use WhatsmyDNS.net to verify that your domain points to the app's IP address.

You cannot add a subdomain.


You can't add a new hostname to an app to assign a subdomain.


  • Let your subscription administrator verify that you have permissions to add hostnames to the app.
  • If you need more subdomains, we recommend that you switch to Azure Domain Name Service (DNS) for domain hosting. If you're using Azure DNS, you can add 500 hostnames to your app. For more information, see Adding a Subdomain.

DNS cannot be resolved


You received the following error message:

"The DNS entry could not be found."

root cause

This problem occurs for one of the following reasons:

  • The period of validity (Time to Live, TTL) has not yet expired. Check the DNS configuration for your domain to determine the TTL value, then wait for it to expire.
  • The DNS configuration is incorrect.


  • Wait 48 hours for this problem to resolve on its own.
  • If you can change the Time To Live (TTL) setting in your DNS configuration, change the value to 5 minutes to see if that solves the problem.
  • Use WhatsmyDNS.net to verify that your domain points to the app's IP address. If not, configure the A record with the correct IP address of the app.

You need to restore a deleted domain


The domain is no longer displayed in the Azure portal.

root cause

The subscription owner may have accidentally deleted the domain.


If your domain was deleted less than seven days ago, the deletion has not started for the domain. In this case, you can purchase the same domain again in the Azure portal under the same subscription. (Be sure to include the exact domain name in the search box.) You will not be billed again for this domain. If the domain was deleted more than seven days ago, contact Azure Support for help with restoring the domain.

Problems with domains

You have purchased a TLS / SSL certificate for the wrong domain.


You purchased an App Service Certificate for the wrong domain. You cannot update the certificate to use the correct domain.


Delete this certificate, and then purchase a new certificate.

If the current certificate using the wrong domain is in the "Issued" status, you will also be billed for that certificate. App Service Certificates are non-refundable. However, you can contact Azure support and see if there are other options.

An App Service certificate was renewed, but the old certificate is displayed in the app


The App Service certificate has been renewed, but the app using the App Service certificate is still using the old certificate. You also received a warning that the HTTPS protocol is required.

root cause

App Service synchronizes your certificate within 48 hours. Sometimes when you update or switch a certificate, the application continues to get the old certificate rather than the newly updated certificate. This is because the job to synchronize the certificate resource has not yet been executed. Click on “Synchronize”. The sync process automatically updates the hostname bindings for the certificate in App Service without causing any downtime for your apps.


You can force a synchronization of the certificate:

  1. Sign in to the Azure portal. Choose App Service Certificates , and then select the certificate.
  2. Choose Creation of new keys and synchronization , then select Synchronize out. It will take some time to synchronize.
  3. When the synchronization is complete, you will see the following notification: "All resources have been successfully updated with the latest certificate."

Domain verification does not work


The App Service certificate requires domain verification before the certificate can be used. If you Check If you select, the operation will fail.


Manually verify your domain by adding a TXT record:

  1. Switch to the Domain Name Service (DNS) provider hosting your domain (domain name).
  2. Add a TXT record for your domain that uses the domain token value shown in the Azure portal.

Wait a few minutes for the DNS data to pass and then choose the button To update to trigger the verification.

As an alternative, you can use the HTML webpage methods to manually check your domain. This method enables the CA to verify domain ownership for the domain for which the certificate is issued.

  1. Create an HTML file named "{Domain Verification Token} .html". The content of this file must be the value of the domain verification token.
  2. Upload this file to the root directory of the web server hosting your domain.
  3. Choose To update to check the status of the certificate. It may take a few minutes for the verification to complete.

Example: You purchase a standard certificate for azure.com with the domain verification token "1234abcd". A web request made for https://azure.com/1234abcd.html should return “1234abcd”.


When ordering a certificate, the domain verification process must be completed within 15 days. After 15 days, the certificate authority will refuse the certificate and you will not be billed for the certificate. If so, delete the certificate and try again.

You cannot purchase a domain.


You cannot purchase an App Service domain from the Azure portal.

Cause and solution

This problem occurs for one of the following reasons:

  • No credit card is specified for the Azure subscription, or the credit card is invalid.

    solution: Add a valid credit card to your subscription.

  • You are not the owner of the subscription, so you are not authorized to purchase a domain.

    solution: Assign the "Owner" role to your account. Or, contact the subscription administrator for permission to purchase a domain.

  • You have reached the limit on how many domains can be purchased for your subscription. The current limit is 20 domain purchases.

    solution: Contact Azure Support to request a limit increase.

  • Your Azure subscription type does not support purchasing an App Service Domain.

    solution: Upgrade your Azure subscription to a different subscription type, e.g. B. on a subscription with usage-based payment.

You can't add a hostname to an app


If you add a host name, domain validation and verification will fail.

root cause

This problem occurs for one of the following reasons:

  • You do not have permission to add a host name.

    solution: Ask the subscription administrator to give you permission to add a host name.

  • Domain ownership could not be verified.

    solution: Make sure your CNAME or A record is configured correctly. Create a CNAME record or an A record to associate a custom domain with the app. If you want to use a root domain, you need to use an A and a TXT record:

    Entry typeHostRefers to
    A@IP address for app

frequently asked Questions

Do I need to configure my custom domain for my website after purchase?

When you purchase a domain through the Azure portal, the App Service application is automatically configured to use the custom domain. No additional steps are required. For more information, see the Azure App Service Self Help: Add a Custom Domain Name video on Channel 9.

Can I use a domain that I purchased through the Azure portal to point to an Azure VM?

Yes, you can set up the domain to point to a VM. For more information, see Deploy custom domain settings for an Azure service with Azure DNS.

Is my domain hosted by GoDaddy or Azure DNS?

App Service domains use GoDaddy for domain registration and Azure DNS for hosting the domains.

The automatic renewal is activated. Even so, I received a renewal notification for my domain by email. How should I proceed?

If auto-renew is turned on, you don't need to take any action. The notification email informs you that the domain is about to expire and will need to be renewed manually if automatic renewal is not activated.

Are there any fees for Azure DNS to host my domain?

When purchasing a domain, the initial cost only includes domain registration. In addition, there are fees for Azure DNS, the amount of which depends on your usage behavior. For more information, see Azure DNS pricing.

I purchased my domain through the Azure portal and now I want to use Azure DNS for hosting instead of GoDaddy. How do I do this?

A migration to Azure DNS is not absolutely necessary for hosting. If you choose to take this step, see the Domain Management section of the Azure portal for information on the steps required to switch to Azure DNS. Overall, if you purchased the domain through App Service, migrating from GoDaddy to Azure DNS is straightforward.

I want to purchase a domain through the App Service domain. Can I host this on GoDaddy instead of Azure DNS?

As of July 24, 2017, App Service domains purchased through the Azure portal are hosted in Azure DNS. If you want to use another hosting provider, you need to check their website for a domain hosting solution.

Are there any costs if I use the data protection feature for my domain?

If you purchase a domain through the Azure portal, you can add data protection functionality for free. This is one of the benefits of purchasing your domain through Azure App Service.

Is there a money back guarantee in case I stop using my domain?

There are no fees for five days after you purchase a domain. During this period you can decide against using the domain. However, this rule does not apply to .uk domains. After purchasing such a domain, fees are immediately incurred that are non-refundable.

Can I use the domain for another Azure App Service app in my subscription?

Yes. When you go to the Custom Domains and TLS sheet in the Azure portal, you'll see the domains you've purchased. You can configure your app to use one of these domains.

Can I move a domain from one subscription to another?

You can use the Move-AzResource PowerShell cmdlet to move a domain to a different subscription or resource group.

How can I manage my custom domain if I don't currently have an Azure App Service app?

You can also manage your domain without an App Service web app. The domain can be used for Azure services such as virtual machines or storage. If you want to use the domain for App Service web apps, you must specify a web app that is not part of the Free App Service plan in order to bind the domain to your web app.

Can I move a web app with a custom domain to another subscription or from an App Service Environment v1 to an App Service Environment v2?

Yes, you can move your web app from one subscription to another. To do this, follow the steps in the Move resources to Azure guide. There are some limitations to keep in mind when broadcasting a web app. For more information, see Limitations on Moving App Service Resources.

After broadcasting the web app, the domain host name bindings within the custom domains setting should be retained. No additional steps are required to configure the host name bindings.