locked
Custom Domain with HTTPS enabled is using wrong certificate leading to SSL_ERROR_BAD_CERT_DOMAIN RRS feed

  • Question

  • Hi there

    I've configured my CDN custom domain to use my own certificate that's loaded from the Key Vault etc..

    Deployment went through smoothly. However, when I test the domain in a web browser, I get an SSL_ERROR_BAD_CERT_DOMAIN error.

    Looking at the certificate details available via the web browser, it is a CDN managed cert that includes another custom domain I had on the same CDN endpoint.

    I've since deleted that other custom domain, purged the endpoint, stop/started the endpoint, waited several hours, all to no avail.

    Do I need to wait even longer? Or could something be jammed up? Or maybe I need to wait for the previous managed cerificate to be re-issued for it to detect that the other custom domain doesn't exist?

    Is it supported to have multiple custom domains per endpoint, all with different types of SSL certificate configuration?

    Any help would be much appreciated.

    Many thanks.

    Martin




    • Edited by MC2020 Wednesday, March 25, 2020 10:23 PM
    Wednesday, March 25, 2020 10:22 PM

Answers

  • I've recreated the CDN profile using Standard Microsoft rather than Standard Verizon and am pleased to say it now works. Also, the SSL cert took only minutes to provision rather than the several hours of Verizon which is great.

    Thanks for your help.

    Thursday, March 26, 2020 9:21 PM

All replies

  • Hi, 

    A custom domain and its subdomain can be associated with only a single endpoint at a time. However, you can use different subdomains from the same custom domain for different Azure service endpoints by using multiple CNAME records. You can also map a custom domain with different subdomains to the same CDN endpoint.

    Alternatively, If this takes longer then delete the CDN endpoint and recreate it and enable custom domain with right certs. 

    Regards, 

    msrini

    Thursday, March 26, 2020 7:23 AM
  • Hi msrini

    Thank you for your reply.

    Would you please elaborate on those retrictions with examples.

    Are you saying that if example.com is bound to an endpoint A, then blog.example.com and cdn.example.com, say, can only be bound to endpoint A and cannot be bound to endpoint B?

    Are those retrictions documented anywhere?

    Many thanks.

    Martin

    • Edited by MC2020 Thursday, March 26, 2020 10:17 AM
    Thursday, March 26, 2020 10:13 AM
  • Also, what about blog.domain1.com with CDN-managed-SSL-cert and domain2.com with User-Provided SSL cert: can they both be bound to the same CDN endpoint concurrently?

    Thanks.

    Thursday, March 26, 2020 10:23 AM
  • Here is the doc which mentions about the restriction: https://docs.microsoft.com/en-us/azure/cdn/cdn-map-content-to-custom-domain#create-a-cname-dns-record

    Regards, 

    Msrini

    Thursday, March 26, 2020 11:18 AM
  • I've delete the CDN endpoint, waited a hour, and recreated it. Then added a custom domain to it and bound my own SSL cert to that. The certificate has now successfully been validated and installed after 6 hours wait, but it is still broken as described above.

    There is something clearly broken here. It shouldn't be rocket science and take 3 days to do this and it still not work.

    Please can you look into it for me. This is not a support request but more like a bug report.

    Thanks.





    • Edited by MC2020 Thursday, March 26, 2020 7:12 PM
    Thursday, March 26, 2020 6:44 PM
  • In short, I've bound my own certificate to the single custom domain and this is the certificate that is eventually bound:

    vivaldisinterim-prd-cdn-media.azureedge.net, originwe-cdn.azureedge.net, gdprq.azureedge.net, static.orocash.it, orocashcdn.azureedge.net, st2.cincovillas.com, st1.cincovillas.com, lynx00.azureedge.net, deepspace.topology.com, cdn.autocaresmarin.es, cdn.glassix.com, cdn.casalorcaroses.com, casalorcawebcdn.azureedge.net, cdn.cuirots.es, sandbox-cartography-endpoint.azureedge.net, cdn.sssihms.org, sssihms.azureedge.net, rewardapp-static.azureedge.net, stg-cdn.usami-app.mobi, cuirotswebcdn.azureedge.net, cdn-javascripts-infousa.azureedge.net, cdn-javascripts.infousa.com, cdn-images-infousa.azureedge.net, cdn-css.infousa.com, backoffice-int.amplifyrpm.net, amplifybackoffice-int.azureedge.net, cdn1lg.azureedge.net, catalyst.azureedge.net, extcdn.manggo.se, images.gorentals.co.nz, cdn1.lg.com.br, sa461gl.wpc.edgecastcdn.net


    • Edited by MC2020 Thursday, March 26, 2020 6:48 PM
    Thursday, March 26, 2020 6:47 PM
  • I've recreated the CDN profile using Standard Microsoft rather than Standard Verizon and am pleased to say it now works. Also, the SSL cert took only minutes to provision rather than the several hours of Verizon which is great.

    Thanks for your help.

    Thursday, March 26, 2020 9:21 PM