This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 83%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKI%3C/text%3E%3C/svg%3E)
Environment:
Subscription: <redacted subscription id>
App Service: <redacted app svc name>, West US 2, P1V2 Linux
App Service Plan: <redacted plan name>
Custom domain: <redacted custom domain>
DNS hosted in Azure DNS zone <redacted actual domain name>
Nameservers: ns1-03.azure-dns.com, ns2-03.azure-dns.net, ns3-03.azure-dns.org, ns4-03.azure-dns.info
DNS Records configured:
<app-name> CNAME 3600 <app_name>-app.azurewebsites.net
asuid.<app_name> TXT 300 [redacted value]
DNS resolution confirmed from all resolvers:
dig <app-name>.<domain-name> CNAME @ns1-03.azure-dns.com +short → <app_name>.azurewebsites.net
dig <app-name>.<domain-name> CNAME @8.8.8.8 +short → <app_name>.azurewebsites.net
nslookup <app-name>.<domain-name> 8.8.8.8
→ <app-name>.<domain-name> CNAME <app-name>-app.azurewebsites.net
→ <app-name>-app.azurewebsites.net CNAME waws-prod-mwh-xxx.sip.azurewebsites.windows.net
→ waws-prod-mwh-xxx-yyyy.westus2.cloudapp.azure.com A <app-svc-ip-address>
No CAA records exist on rai-rcl.com
Hostname binding: Successfully added via az webapp config hostname add → hostNameType: Verified ✓
Managed cert creation failure — all combinations tried:
|HTTPS_ONLY | Easy Auth | DNS record | Error |
|ON | Enabled | CNAME | "Current CNAME record is empty" |
|ON | Enabled | CNAME | "Current CNAME record is empty" |
|OFF | Enabled | CNAME | CheckARecordForHttp — "A record not found" |
|OFF | AllowAnonymous | CNAME | Same A record error |
|OFF | Fully disabled | CNAME | Same A record error |
|ON | Enabled | A record | Ensure CNAME is set to <the app service managed url>|
|OFF | Fully disabled | A record | Still failed |
Diagnostic log (from Diagnose and Solve Problems):
Create Managed Certificate | <app-name>.<domain-name> | Failed | HTTP DNS Check Failed
Cause: [CheckARecordForHttp/ValidatedWebspaceASMCRequests] Not found A record directly
pointing to ip address <app-ip-address> of website <app-svc-name> where the hostname was added
in the webspace <resource-group>-WestUS2webspace-Linux of server farm <app-svc-plan>.
Current A record of the hostname <app-name>.<domain-name> has no A record set.
Azure's own DNS diagnostic result (same subscription, same session):
✅ DNS Name resolution check passed — <app-name>.<domain-name> resolves to (correct IP) CNAME chain fully visible: <app-name>.<domain-name> → <app-name>-app.azurewebsites.net → waws-prod-mwh-xxx... → (correct IP)
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
Yes. confirmed. the backend team's fix worked and I am able to validate and bind the app-service certificate correctly.
May I ask - what was the root cause, and what was the fix?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 7.000000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hello @kasin-ik
Great to hear the issue has been resolved thanks for confirming. The RCA is underway and will be shared soon. Meantime could you please accept the answer so we can move forward with closure. If you have any other questions, just leave a comment and I’ll be ready to assist.
Answer accepted by question author
Hello @kasin-ik
Apologies for the delay.
I’ve coordinated with the backend team and verified that the blocker has been resolved. This should now be functioning properly. Please check on your end and confirm. If you require any additional support, just let us know.
The managed certificate flow is failing because the validation logic is explicitly requiring an A record that points directly to the app’s IP, even though CNAME is generally supported for custom domains. This behavior matches the documented requirement for certain certificate scenarios: for free managed certificates and apex-domain certificates, an A record must exist and point to the web app IP, and CNAME-only configurations are not sufficient for HTTP-based validation.
From the context:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 51%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
<app-name>.azurewebsites.net. If these conditions are not met, certificate issuance/renewal is blocked.CheckARecordForHttp / “A record not found”) is consistent with this requirement.Given the behavior and the available documentation, the practical resolution is:
az webapp config hostname list).<app-name>.azurewebsites.net if needed for other scenarios, but do not have both A and CNAME for the same name; choose one per hostname as required.@; for subdomains, asuid.<subdomain>), as described in the custom domain and certificate troubleshooting guidance.If the hostname must remain CNAME-only and cannot have an A record pointing to the app IP, the built-in managed certificate mechanism may not complete HTTP validation for that specific configuration. In that case, the alternative is to use a different certificate option (for example, an App Service certificate or an external certificate uploaded as PFX) and bind it manually, following the documented certificate lifecycle (Buy/Store/Verify/Import/Bind).
References: