Pending revalidation - AFD managed certificate

hi Tobias Runesson,

this happens when Azure Front Door needs to revalidate domain ownership for the managed certificate and the existing validation token is no longer considered valid even if ur dns record hasnt changed. AFD managed certificates are issued and renewed automatically, but they depend on periodic domain validation. If the underlying certificate authority (DigiCert or Let’s Encrypt depending on region or platform version) requires revalidation during renewal, AFD may mark the domain as Pending Revalidation. When that happens, the existing _dnsauth token can expire internally even though the dns record still exists and looks correct.

Common triggers could be like certificate renewal cycle reached and revalidation was required or backend platform migration or infrastructure refresh in Front Door or expired validation token on msft side, temporary dns resolution issue during renewal window....

When u clicked Regenerate AFD generated a new validation token which restarted the ownership validation process. Updating the _dnsauth record satisfied the new validation requirement so the certificate issuance resumed. Nothing in ur dns necessarily broke its usually part of the certificate lifecycle. If this was a long standing domain and only one domain was affected, it strongly suggests a renewal/revalidation event rather than a misconfiguration. :)))) My advise to reduce surprises in the future, monitor certificate expiry in Front Door Ensure _dnsauth record TTL is not excessively long Keep dns hosted in a highly available zone but what you experienced is not uncommon. It is typically tied to the managed certificate renewal process requiring fresh domain validation.

rgds,

Alex

Hi @Tobias Runesson,

Thank you for reaching out on Microsoft Q&A forum.

This behavior is typically related to the Azure Front Door managed certificate revalidation process, rather than a DNS misconfiguration.

• Azure Front Door managed certificates are automatically renewed.
• During certificate issuance and renewal, Azure Front Door revalidates domain ownership using the _dnsauth TXT record.
• If validation cannot be completed, the domain may transition to: Pending revalidation,Domain validation needed,Certificate needed

This can occur even when:

• The _dnsauth TXT record exists
• DNS has not changed
• The domain has been working correctly for a long time

Validation may fail temporarily due to reasons such as:

• Transient DNS resolution or propagation delays
• The managed certificate approaching expiry (~45 days prior), triggering a required revalidation.
• Timeouts during CA validation checks
• Internal certificate revalidation cycles within Azure Front Door

When validation fails, Azure Front Door pauses certificate renewal until ownership can be confirmed again.

Selecting “Regenerate” under Validate custom domain ownership:

• Generates a new _dnsauth validation token
• Restarts the domain validation workflow on the Azure Front Door side

Once the DNS TXT record is updated with the new value, validation completes and certificate renewal proceeds successfully. This explains why the issue was resolved immediately after regenerating the token.

References:

• Managed certificates and domain validation https://dori-uw-1.kuma-moon.com/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain
• Custom domain HTTPS and validation https://dori-uw-1.kuma-moon.com/azure/frontdoor/front-door-custom-domain-https
• Domain ownership validation using DNS TXT https://dori-uw-1.kuma-moon.com/azure/frontdoor/standard-premium/how-to-add-custom-domain#validate-the-domain

Nothing was necessarily misconfigured. The most likely cause was an automatic certificate renewal attempt where domain validation could not be completed temporarily. Regenerating the validation token simply restarted and completed the validation process.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful,please 'Accept the answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".