The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure App Service - Web Apps!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Domain verification fails for App Service certificate RRS feed

  • Question

  • I've created an App Service certificate in the portal and have moved it to the domain verification stage. I've selected manual verifcation and have followed the instructions as indicated, creating a TXT entry at the root of our domain using the supplied domain verification token. The portal doesn't like something though as it never reports the certificate as verified, even after more than an hour.

    I've put my browser in debug mode to see what is going on and can see that portal makes a call to 

    https://management.azure.com/subscriptions/my-subscription/resourceGroups/my-group/providers/Microsoft.CertificateRegistration/certificateOrders/my-cert/verifyDomainOwnership?api-version=2015-08-01

    This call is returning code 400 every time it's made. I tried making this call explicitly through the Try It mode for this REST call described here:

    https://docs.microsoft.com/en-us/rest/api/appservice/appservicecertificateorders/verifydomainownership

    and I get a 400 error in this case as well, atlhough I get a bit more information in the JSON blob that's returned:

    {
      "Code": "CertificateResellerWebService_NOT_FOUND_TOKEN",
      "Message": "All remaining domain control tokens were not found",
      "Target": null,
      "Details": [
        {
          "Message": "All remaining domain control tokens were not found"
        },
        {
          "Code": "CertificateResellerWebService_NOT_FOUND_TOKEN"
        },
        {
          "ErrorEntity": null
        }
      ],
      "Innererror": null
    }

    As you can see, it's complaining about a missing domain control token. Is this the same as a domain verification token? Whatever the case, it is failing consistently with this message and I cannot figure out how to solve this. Any help would be appreciated.

    Tuesday, January 22, 2019 6:11 PM

All replies

  • Hi pwsteele,

    We apologize for the frustration on this issue. You can try this alternate method mentioned on this blog to manually verify your App Service certificate. The Html Web Page method can be used to allow the certificate authority to confirm the domain ownership of the domain the certificate is issued for.

    To use this method:

    - Create an HTML file named {Domain Verification Token}.html.
    - Content of this file should be the value of Domain Verification Token.
    - Upload this file at the root of the web server hosting your domain
    - Click on Refresh button to check the Certificate status. It might take few minutes for verification to complete.

    For example, if you are buying a standard certificate for azure.com with Domain Verification Token ‘1234abcd’ then a web request made to http://azure.com/1234abcd.html should return 1234abcd.

    Please keep in mind that a certificate order has only 15 days to complete domain verification operation, after 15 days the certificate is denied by the certificate authority, you are not charged for the certificate. Please delete this certificate and try again.

    Let us know if you have any other questions.

    Thursday, January 24, 2019 1:27 AM
    Moderator
  • This approach is not an option for us. The site that hosts our domain does not provide an API with which we could upload a file to the root of our domain. The TXT record verification method is the best option in our case. This is in fact what we use to verify certifcates for our AWS projects. The question is, why is this method failing in the Azure case? It's not clear from this error what the problem is.

     
    • Edited by PeterSteele Friday, January 25, 2019 9:42 PM
    Friday, January 25, 2019 9:40 PM
  • Hi PeterSteele,

    Sorry for the delay in response. We need to do deeper analysis for this issue. Do you have the ability to open a support request? If not, you can email me at AzCommunity@microsoft.com and provide me with your SubscriptionID, time of when you started experiencing this issue and link to this thread. I can enable your subscription to be able to create one.

    Monday, January 28, 2019 6:15 AM
    Moderator
  • I do not appear to be able to open a support request. I'll send you my details.

    Monday, January 28, 2019 1:54 PM