Share via

Azure Portal - Function App TLS bindings completely out of sync with actual TLS frontend behaviour

Steven Fletcher 0 Reputation points
2026-06-22T12:33:28.3166667+00:00

I have a number of Azure Functions apps running the Flex Consumption plan. The TLS bindings displayed in the portal are are completely disconnected from what is actually happening.

The portal reports "No binding" for multiple custom domains, but ARM reports sslState=SniEnabled.

I have updated certificates in my Key Vault that have been updated for over 7 days but these are not being served on the TLS front end.

There is inconsistent behaviour observed with the TLS front end vs. the custom domain certificate bindings. Some of the custom domains on this function app show as "No bindings", although they are working at the TLS front end. The TLS front end is serving older certificates.

When I try to update the bindings, and import a new certificate from the Key Vault, I get the error:

"Failed to import key vault certificate: https://my-key-vault.vault.azure.net/certificates/my-certificate-name. Error: The number of certificates uploaded in this webspace exceeded the maximum number allowed."

Azure Functions
Azure Functions

An Azure service that provides an event-driven serverless compute platform.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steven Fletcher 0 Reputation points
    2026-06-22T15:28:56.5433333+00:00

    Good afternoon.

    I tried most of these when troubleshooting last night, but to specifically address some points:

    • "Import the latest Key Vault certificate only once."
      It's completely impossible to import any Key Vault certificate due to the error quoted earlier. *"The number of certificates uploaded in this webspace exceeded the maximum number allowed."
      *Obviously, this prevents me from re-trying the bind and validate steps.**- The ARM thumbprint of the certificate properties.hostNameSslStates.thumbprint is 6D3C....
    • The thumbprint of the latest version of the certificate in Key Vault is D52A....
    • The thumbprint of the certificate currently being served by the TLS front end is 6D3C....

    I removed the custom domains. There were no certificates showing in the portal.

    I re-added the custom domain. I attempted to import the certificate from the Key Vault. Again - the same error: “The number of certificates uploaded in this webspace exceeded the maximum number allowed.”

    This Function App is now down. Please escalate to Support thank you.

    Was this answer helpful?

    0 comments
  2. Sina Salam 30,246 Reputation points Volunteer Moderator
    2026-06-22T15:04:55.3566667+00:00

    Hello Steven Fletcher,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that your Azure Portal - Function App TLS bindings completely out of sync with actual TLS frontend behaviour.

    The issue is caused by a mismatch between the Azure Portal TLS binding display, the actual ARM hostname SSL binding state, and the TLS frontend certificate being served, combined with a blocking certificate-store error:“The number of certificates uploaded in this webspace exceeded the maximum number allowed.”

    What you can do to fix is to:

    • Stop relying on the Azure Portal view for this incident and validate the binding through ARM/CLI.
    • Review all imported certificates in the App Service webspace.
    • Remove old, expired, duplicate, or unused certificate objects.
    • Import the latest Key Vault certificate only once.
    • Explicitly bind each affected custom domain to the latest certificate thumbprint using SNI SSL.
    • Validate the public TLS endpoint with SNI using openssl.
    • Escalate to Azure Support only if ARM shows the new thumbprint but the public TLS frontend still serves the old certificate.

    This works because App Service stores uploaded or imported certificates in a shared webspace/deployment unit, and stale certificates in that webspace can block new imports or cause certificate inventory confusion. Also, custom domain HTTPS for App Service and Function Apps is completed by creating a TLS/SSL binding, normally using SNI SSL for multiple custom domains.

    Use the below resource links for more reading and implementation steps:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.