This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 71%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED0%3C/text%3E%3C/svg%3E)
When trying to create a managed certificate for a web site the validation returns the following error:
"Hostname not eligible for App Service Managed Certificates creation. Ensure that your domain has an active CNAME record...."
The CNAME recordset value has been added to the DNS Zones entry and the alias is the correct name of the app service being used. Creating the certificates has not been a problem in the past but now it is no longer working and our automated scripts that were creating the certificates were working last week but are no longer working.
Why can we not validate the certificate when everything has been configured correctly?
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
Managed certificates only work after Azure successfully verifies the custom domain binding. If validation fails, certificate creation will fail.
Can you try running nslookup <your-domain> and confirm it resolves to <appname>.azurewebsites.net
Also check if there are any proxy layers or recent DNS changes made
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 85%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
Hi @developer-0760
Thank you for reaching us regarding the issue.
We have begun looking into it and will share our suggestions with you as soon as possible. If you have any additional details or concerns in the meantime, please let us know. We appreciate your patience while we work on this.
Thanks for the quick response.
I have already tested it with the nslookup and it correctly resolves to the app service I am using.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 7.000000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hi @developer-0760
Thanks for the information provided in private message from deep investigation we found that DNS is set up correctly. The CNAME for XXXXXX.wXXXXX.cloud is pointing straight to your App Service hostname , it resolves to the right IP, and the site is reachable over HTTPS.
The “Hostname not eligible for App Service Managed Certificates creation” error is happening because Azure still requires one extra step before a managed certificate can be created: the custom domain must be added and validated as a hostname binding inside the App Service resource itself.
Right now your app is still serving the default *.azurewebsites.net wildcard cert (exactly what the SSL Checker is showing). Once the domain is bound in the App Service, the managed certificate creation works reliably.
Quick fix (takes just a couple of minutes):
reference :
https://dori-uw-1.kuma-moon.com/en-us/azure/app-service/tutorial-secure-domain-certificate
Kindly let us know if the above helps or you need further assistance on this issue.
Please "upvote" if the information helped you. This will help us and others in the community as well.
The reason you might have seen it still using the default domain is because it was in the process of being re-created after I accidentally deleted it. The app service has been recreated and the custom domain has since been added and the same error “Hostname not eligible for App Service Managed Certificates creation” is still occurring when trying to validate the managed certificate creation.
The way we are creating the certificates has not changed and the same process was working fine a couple of days ago but now we cannot seem to add any managed certificates to our app services.
Hi @developer-0760
Thank you for sharing the information via private message. We will review it and provide an update as soon as possible.
Hi @developer-0760
from deep investigation we found The main reason you're seeing the “Hostname not eligible for App Service Managed Certificates creation” error is clearly stated in the validation failure:
[CheckARecordForHttpValidatedWebspaceASMCRequests]: Not found A record directly pointing to ip address
Even though your CNAME is correctly configured and resolving, after the recent App Service recreation, Azure’s managed certificate validation is now strictly checking for an A record that points directly to your App Service’s IP address
Recommended Solution:
Also add this CAA record (required for DigiCert issuance):
This A-record requirement during validation is a common gotcha after App Service recreations, even when CNAME worked fine before.
reference :
https://dori-uw-1.kuma-moon.com/en-us/azure/app-service/tutorial-secure-domain-certificate
Kindly let us know if the above helps or you need further assistance on this issue.
Please "upvote" if the information helped you. This will help us and others in the community as wel
Answer accepted by question author
Hi @developer-0760
Apologies for the delay.
I hope that the blocker has now been removed. This should be working as expected. Could you please check and confirm from your end? Kindly let us know if this helps or if you need any further assistance on this issue.
The certificate that was failing has now been successfully created.
Thanks for the help.