locked
Unable to verify a custom domain for HTTPS RRS feed

  • Question

  • I am trying to create a custom domain on Azure CDN with HTTPS enabled. I want to use the apex of my custom domain (e.g. "contoso.com" not "www.contoso.com"). I am using Microsoft Standard Azure CDN.

    So far, I have managed to create the custom domain record by pointing the cdnverify subdomain to the azureedge cdnverify subdomain. However, when I try to enable HTTPS (that is CDN managed), it throws an error message: "We couldn't find a DNS record for custom domain that points to endpoint. To map a domain to this endpoint, create a CNAME record with your DNS provider for custom domain that points to endpoint."

    I have made a CNAME record that points to the endpoint hostname, and verified that the record works through online DNS lookup services. However, I still receive the error message. I was told by a support engineer that this is because I am not actually allowed to point the apex of my custom domain to anything based on the DNS spec. I have verified that this is true the HTTPS validation works when I add a "www" subdomain.

    What should I do to make enable HTTPS on the apex of my domain?

    I have already looked at:

    https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-1-default-enable-https-with-a-cdn-managed-certificate#custom-domain-is-not-mapped-to-your-cdn-endpoint

    The link above tells me what to do during the validation process but not what to do to start the validation process.

    https://docs.microsoft.com/en-us/azure/cdn/cdn-map-content-to-custom-domain#map-the-temporary-cdnverify-subdomain

    The page for the link above only tells me how to create the custom domain record on Azure CDN. I have already done this using the cdnverify method. It does mention two other links for using the zone apex which I have also looked at.

    https://docs.microsoft.com/en-us/azure/dns/dns-alias#point-zone-apex-to-azure-cdn-endpoints

    This link above tells me that I have to create a alias record from the zone apex to the CDN endpoint. I have tried creating an A record from the zone apex to the IP address that is resolved from the CDN endpoint. This does not resolve the problem.


    • Edited by JT' Monday, June 10, 2019 3:43 PM Pasted wrong link for docs on pointing to zone apex
    Monday, June 10, 2019 9:50 AM

Answers

  • Hi, 

    I am successfully able to create a custom domain with apex in CDN. 

    Note : This cannot be done with Akamai. 

    Below are the steps to create it:

    1. Once you delegated your domain to Azure DNS, try creating a new record with the following settings:

    Leave the Name empty. Enable Alias record and then select the CDN profile. 

    2. You can see Azure DNS will create a new record for CDN to get this validated. 

    3. Try adding the apex domain in the CDN and it gets created. 

    Once it is done. When you try to enable SSL for the endpoint with CDN managed certificate, it fails. 

    We are not supporting apex domains via the CDN managed route for any provider.

    Documentation needs to be updated and I will do that. In the meanwhile, you can use the Bring your own cert option to enable SSL on their custom domain.

    Hope this helps. 

    Msrini


    Tuesday, June 11, 2019 8:10 AM

All replies

  • I don't think you can map apex domain to CDN as you will not be able to validate. 

    If your end goal is whether your client access contoso.com or www,contoso.com , the page needs to be displayed, then you can configure redirection on the server or on CDN to get that working. 

    Let me know if you have any further questions. 

    Regards, 

    Msrini

    Monday, June 10, 2019 12:59 PM
  • I believe this is possible as it is stated in the documentation. However, there just seems to be something that is preventing me from starting the validation process.

    Validation is possible as shown in this tutorial (https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-1-default-enable-https-with-a-cdn-managed-certificate#custom-domain-is-not-mapped-to-your-cdn-endpoint) that I had previously linked. DigiCert CA will validate my ownership of the domain by sending an email to the whois registrant's email.

    It is also stated that it is possible to create a custom domain on Azure CDN using the zone apex in this tutorial (https://docs.microsoft.com/en-us/azure/dns/dns-alias#point-zone-apex-to-azure-cdn-endpoints)

    Monday, June 10, 2019 3:43 PM
  • I missed the link which you have provided. Did you try creating the alias record along with the A record ?

    Did you test the Alias record as mentioned in the article ?

    Regards, 

    Msrini

    Monday, June 10, 2019 4:43 PM
  • I realised that an alias record is no the same as an A record... I also realised my DNS provider does not provide Alias records. I have now delegated the nameservers to Azure DNS with an Alias A record pointing to the my Azure CDN endpoint.

    However, I am still having the same problem. I have ensured that my domain points to the same IP address as the Azure CDN's resolved IP address.

    Tuesday, June 11, 2019 6:02 AM
  • Hi, 

    I am successfully able to create a custom domain with apex in CDN. 

    Note : This cannot be done with Akamai. 

    Below are the steps to create it:

    1. Once you delegated your domain to Azure DNS, try creating a new record with the following settings:

    Leave the Name empty. Enable Alias record and then select the CDN profile. 

    2. You can see Azure DNS will create a new record for CDN to get this validated. 

    3. Try adding the apex domain in the CDN and it gets created. 

    Once it is done. When you try to enable SSL for the endpoint with CDN managed certificate, it fails. 

    We are not supporting apex domains via the CDN managed route for any provider.

    Documentation needs to be updated and I will do that. In the meanwhile, you can use the Bring your own cert option to enable SSL on their custom domain.

    Hope this helps. 

    Msrini


    Tuesday, June 11, 2019 8:10 AM
  • Hello there.  I don't have the same resource alias options in my DNS Set.  I can only set the public IP, front door or traffic manager.  Am I missing something? 
    Sunday, February 2, 2020 12:41 PM