Domain Name Verification not getting completed

Question

Domain Name Verification not getting completed

Ankit Khandelwal 0

Hi Team,

I have a Domain Certificate which has expired on 2nd June and has not auto renewed.

Initially it was asking for domain verification as a manual step and the step was completed from our side.

But Domain verification still wasn't completed correctly. On the certificate list page, the status showed Pending Issuance but upon opening the certificate, it showed the status as issued.

We tried to rekey the certificate but it started the whole process of verification again and is not getting completed.

Can you list down exact steps for verification since the domain has many subdomains?

Venkatesan S 9,565 Reputation points Microsoft External Staff Moderator

2026-06-04T18:01:09.5133333+00:00
Hi Ankit Khandelwal,

Thanks for reaching out in Microsoft Q&A forum,

Based on the information provided, your certificate renewal appears to be blocked because the domain validation process has not completed successfully. Since the certificate contains multiple subdomains, the exact validation requirements depend on the certificate provider and certificate type.

If Azure DNS is hosting the domain, please ensure that all DNS validation records (TXT or CNAME) requested by the Certificate Authority have been created exactly as specified and are publicly resolvable.

For certificates containing multiple SANs or wildcard entries, additional validation records may be required depending on the Certificate Authority's validation method.

To provide the exact domain verification steps, could you please confirm:

The certificate type or provider (Azure-managed certificate, App Service Certificate, DigiCert, GoDaddy, Sectigo, etc.)

Whether the certificate was purchased through Azure or imported from an external provider

The validation method being requested (TXT, CNAME, Email, or HTTP)

Once we have these details, we can provide the precise verification procedure applicable to your certificate.
Venkatesan S 9,565 Reputation points Microsoft External Staff Moderator

2026-06-05T19:07:25.1433333+00:00

Hi Ankit Khandelwal,

We haven’t heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.
Praveen Bandaru 11,640 Reputation points Microsoft External Staff Moderator

2026-06-12T20:11:21.4033333+00:00

Hello Ankit KhandelwalPlease let me know if the domain is hosted in AFD or App Service.

If it is hosted in AFD, is it an APEX domain or a custom domain?

If you are using a custom domain in AFD and have mapped a CNAME record, the certificate for the domain is supposed to renew automatically 45 days before expiration. However, there is an ongoing issue with Front Door, so renewals are not happening as expected.

You need to wait the certificate reaches 30 days before expiry, as the renewal process may still trigger during this window.

If the certificate has less than 30 days remaining and the domain is still showing validation pending, you will need to manually:

Generate a new TXT record, and

Add it to your DNS zone for validation.

If you are using the Apex domain, you cannot add a CNAME record. Instead, you need to manually generate a new TXT record and add it to the DNS zone for it to work.
Praveen Bandaru 11,640 Reputation points Microsoft External Staff Moderator

2026-06-24T20:11:34.8133333+00:00

Hello Ankit Khandelwal

I just wanted to follow up and see if you had a chance to review my answer to your question. Please let us know if you found it useful, and don't hesitate to contact us if you have any further questions.

I hope the above answer helps you! Please let us know if you have any further questions.

Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

1 answer

Your answer

Venkatesan S 9,565 Reputation points Microsoft External Staff Moderator

2026-06-04T18:01:09.5133333+00:00

Hi Ankit Khandelwal,

Thanks for reaching out in Microsoft Q&A forum,

Based on the information provided, your certificate renewal appears to be blocked because the domain validation process has not completed successfully. Since the certificate contains multiple subdomains, the exact validation requirements depend on the certificate provider and certificate type.

If Azure DNS is hosting the domain, please ensure that all DNS validation records (TXT or CNAME) requested by the Certificate Authority have been created exactly as specified and are publicly resolvable.

For certificates containing multiple SANs or wildcard entries, additional validation records may be required depending on the Certificate Authority's validation method.

To provide the exact domain verification steps, could you please confirm:

The certificate type or provider (Azure-managed certificate, App Service Certificate, DigiCert, GoDaddy, Sectigo, etc.)

Whether the certificate was purchased through Azure or imported from an external provider

The validation method being requested (TXT, CNAME, Email, or HTTP)

Once we have these details, we can provide the precise verification procedure applicable to your certificate.
Venkatesan S 9,565 Reputation points Microsoft External Staff Moderator

2026-06-05T19:07:25.1433333+00:00

Hi Ankit Khandelwal,

We haven’t heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.
Praveen Bandaru 11,640 Reputation points Microsoft External Staff Moderator

2026-06-12T20:11:21.4033333+00:00

Hello Ankit KhandelwalPlease let me know if the domain is hosted in AFD or App Service.

If it is hosted in AFD, is it an APEX domain or a custom domain?

If you are using a custom domain in AFD and have mapped a CNAME record, the certificate for the domain is supposed to renew automatically 45 days before expiration. However, there is an ongoing issue with Front Door, so renewals are not happening as expected.

You need to wait the certificate reaches 30 days before expiry, as the renewal process may still trigger during this window.

If the certificate has less than 30 days remaining and the domain is still showing validation pending, you will need to manually:

Generate a new TXT record, and

Add it to your DNS zone for validation.

If you are using the Apex domain, you cannot add a CNAME record. Instead, you need to manually generate a new TXT record and add it to the DNS zone for it to work.
Praveen Bandaru 11,640 Reputation points Microsoft External Staff Moderator

2026-06-24T20:11:34.8133333+00:00

Hello Ankit Khandelwal

I just wanted to follow up and see if you had a chance to review my answer to your question. Please let us know if you found it useful, and don't hesitate to contact us if you have any further questions.

I hope the above answer helps you! Please let us know if you have any further questions.

Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

Answer 1

hi Ankit Khandelwal & thx for sharing urs issue here at Q&A portal,

the cert order got stuck between domain validation and issuance state. If the list page says Pending Issuance but the cert detail says Issued, that’s not normal UI behavior. Rekey can restart validation, so now u may be dealing w/ a fresh validation order instead of the original renewal.

For domain validation, the exact steps depend on the cert type/provider, but usually u need to create the DNS validation record exactly as shown in the cert blade. If the cert covers subdomains or wildcard names, each required hostname/SAN may need its own validation record unless the provider gives one shared record.

Don’t guess the TXT/CNAME record name. Copy it from the certificate validation page. In Azure DNS, make sure u add it in the correct zone. If the cert is for app.contoso.com, the record may need to live in the contoso.com zone or in a delegated app.contoso.com zone, depending on how DNS is split.

nslookup -type=TXT <validation-record-name>

nslookup -type=CNAME <validation-record-name>

or

dig TXT <validation-record-name>

dig CNAME <validation-record-name>

If public DNS doesn’t return the validation value, the CA won’t complete validation, even if Azure portal shows the record internally.

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain

https://learn.microsoft.com/en-us/azure/dns/dns-getstarted-portal

If DNS is correct publicly and it’s still stuck, open a support case w/ cert name, thumbprint/order id if shown, domain names/SANs, validation record values, UTC time u added DNS, and screenshots showing Pending Issuance vs Issued. That mismatch prob needs backend cleanup/retry from the cert provider side.

rgds,

Alex

&

If my answer was helpful pls mark it and additional thx if u follow me at Q&A portal 
and at my blog https://ctrlaltdel.blog/

Share via

Domain Name Verification not getting completed

1 answer

Your answer