Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
Azure App Service Managed Certificate creation fails after DNS zone migration even though custom domains are verified and public DNS is correct
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 19%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWI%3C/text%3E%3C/svg%3E)
Wil Isaacs
0
Reputation points
I’m looking for help with what appears to be an Azure App Service Managed Certificate validation problem after a DNS zone migration.
Environment
- Azure App Service (Linux)
- Custom domains:
- teXX.flopXXX.neX
- api.teXX.flopXXX.neX
- App Service hostname bindings are present and show Verified
- We recently moved authoritative DNS for flopstr.net to a new Azure DNS zone and updated registrar delegation
Problem
Azure Managed Certificate creation still fails for both custom domains even though public DNS appears correct and the hostname bindings are verified.
The managed certificate creation fails with:
- BadRequest 54524
- Message indicating the current CNAME/A record is empty
For api.test.flopstr.net, App Service also reported this cause text:
[CheckARecordForHttpValidatedWebspaceASMCRequests]: Not found A record directly pointing to ip address 20.42.128.96 ... Current A record of the hostname api.test.flopstr.net has no A record set.
What we have already verified
- Registrar delegation has been updated to the new Azure DNS zone
- Public DNS resolves correctly from public resolvers
- test.flopstr.net and api.test.flopstr.net point to the App Service hostname as expected
- Required asuid TXT records are present:
- asuid.teXX
- asuid.api.teXX
- App Service custom hostname bindings are Verified
- We deleted and recreated hostname bindings/certificate attempts after the DNS cutover
- No managed certificate resources are being created successfully
- HTTPS on the custom domains still presents the wrong-principal/default certificate because the managed cert never issues
Why this seems Azure-side
What is confusing is that Azure shows the hostname bindings as Verified, public DNS is correct, but managed certificate creation still behaves as if the DNS record is missing.
Also, for api.test.flopstr.net, Azure appears to be asking for an A record to the webspace IP, even though this hostname is configured as a CNAME to App Service, which is the normal pattern for an App
Service subdomain.
Question
Has anyone seen Azure Managed Certificates get stuck in a stale or incorrect DNS validation state after DNS zone migration / delegation changes?
Is there a known way to force the managed certificate validator to refresh, or does this require Microsoft to reset/clear something server-side?
At this point I’m trying to determine whether this is:
- a known propagation/cache delay inside Azure,
- a managed certificate validator bug/stale state issue,
- or a real requirement to temporarily change the DNS pattern for the subdomain.
I only have the Dev support plan or else I'd open a direct ticket on this issue.
Azure App Service
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 7.000000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Praneeth Maddali 6,935 Reputation points Microsoft External Staff Moderator2026-04-06T16:09:30.7933333+00:00 HI @Wil Isaacs
Thank you for contacting us about the Azure App Service Managed Certificate creation fails issue. We have begun looking into it and will share our suggestions with you as soon as possible. If you have any additional details or concerns in the meantime, please let us know. We appreciate your patience while we work on this.
-
TP 155.1K Reputation points Volunteer Moderator2026-04-06T16:19:51.4966667+00:00 Hi Wil,
Recently many people are having issues with App Service Managed Certificates. To eliminate it as possible issue, please add CAA record to your apex domain (flopstr.net). After adding CAA record, please try to create new Managed Certificate under Settings -- Certificates blade.
Name: @
Type: CAA
TTL: 1 Hours
Flags: 0
Tag: issue
Value: digicert.com
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 33%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Sign in to comment
Sign in to answer