Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
Container App custom domain on internal environment — TLS handshake returns no peer certificate
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 55.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Simon Horn
0
Reputation points
Hi,
I have an internal Container Apps Environment with a Container App that has a custom domain bound. The binding is SniEnabled and points at a CAE-level certificate that I imported from Key Vault (Let's Encrypt, RSA-2048). Both the certificate resource and the binding report Succeeded with the correct thumbprint, subject and SAN.
From a VM inside the peered VNet, a TLS handshake to the default CAE FQDN works fine and returns the Microsoft wildcard certificate. A TLS handshake to the bound custom hostname on the same IP returns "no peer certificate available" — the server closes the connection before presenting anything. Same behaviour persists after waiting 12+ hours, after restarting the container app revision, and after rebuilding the certificate resource on the latest GA API version.
Has anyone seen this on an internal CAE? Is there a known issue with the ingress not picking up KV-imported certificates for the custom hostname even when the binding looks correct?
Happy to provide more detail or specific resource IDs if useful.
Cheers, Simon
Azure Container Apps
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Siddhesh Desai 7,055 Reputation points Microsoft External Staff Moderator2026-05-21T02:46:37.3033333+00:00 Hi @Simon Horn
Thank you for reaching out to Microsoft Q&A.
The behavior you are observing where a TLS handshake to the custom domain returns “no peer certificate available” while the default CAE FQDN works correctly is typically not related to the certificate itself but rather to how Azure Container Apps ingress (Envoy-based edge proxy) performs routing and TLS termination. In Container Apps, TLS is always terminated at the ingress level, and routing is entirely based on the hostname/SNI (Server Name Indication) provided in the TLS handshake. Since all applications within an internal Container Apps Environment share a single internal IP, the ingress relies on the hostname to determine which certificate to present. If the incoming request does not match a configured hostname binding (or the binding is not effectively applied at the ingress layer), Envoy does not select a certificate and closes the connection, resulting in the “no peer certificate” response. Even though the custom domain and certificate binding may show as “Succeeded” in the control plane, the data plane (ingress) may not recognize or serve it due to SNI mismatch, DNS issues, or propagation problems.
Refer below points to resolve this issue or this is the workaround
Verify SNI is correctly sent in TLS handshake
Ensure that your test includes the hostname using SNI; otherwise, ingress cannot match the request and will not present a certificate.
openssl s_client -connect <IP>:443 -servername <your-custom-domain>If the certificate appears only when using
-servername, then the issue is confirmed to be related to SNI/hostname mismatch.Validate DNS resolution inside the V-Net
Confirm that your custom domain resolves correctly within the VNet and points to the same internal IP as the Container Apps Environment. Misconfigured private DNS zones or incorrect A/CNAME records can cause ingress to not match the hostname.
Compare default FQDN and custom domain behavior
Run TLS checks for both the default environment FQDN and your custom domain. If the default FQDN returns a valid certificate but the custom domain does not, it indicates that the ingress is not recognizing the custom domain binding even if it shows as successful.
Reapply or rebind the custom domain and certificate
Force a refresh of the binding to ensure propagation to the ingress layer:
az containerapp ingress custom-domain bind \ --name <app-name> \ --resource-group <resource-group> \ --hostname <custom-domain> \ --certificate <certificate-name>Test with a managed certificate (isolation step)
Temporarily switch to an Azure-managed certificate. If this works, it helps isolate whether the issue is related to Key Vault certificate integration or binding propagation.
Check for propagation or platform-side issue (internal CAE)
If all configurations (SNI, DNS, binding) are correct and the issue persists, it is likely that the ingress (Envoy) has not picked up the configuration despite the control plane showing success. In such cases, this may require escalation to the backend team with resource IDs for further investigation.
Sign in to comment
Sign in to answer