3

I have an App Service Certificate in Azure that is set to auto renew. When I try to import it into the associated App Service, however, I get the error:

App Service Certificate is not issued.

How do I “issue” an App Service Certificate so that it can be assigned to an App Service via import?

App Service Certificate Configuration

To verify the status of the App Service Certificate, I did the following:

  1. Open the “App Service Certificate” under “All Resources”
  2. Click “Certificate Expired” warning (or, alternatively, “Certificate Configuration”)
  3. Confirmed “Certificate successfully imported to Key Vault” (checked)
  4. Confirmed “Domain ownership verified” (checked)
  5. Confirmed “Certificate ready to use in App Service”
  6. Followed instructions under “Step 3: Assign”

App Service Certificate Assignment

To assign the App Service Certificate, I followed the instructions under the Certificate Status’s “Step 3: Assign” window. This is similar to the instructions on Microsoft’s Buy SSL Cert page.

  1. Open the “App Service” under “All Resources”
  2. Click “TSL/SSL Settings”
  3. Click “Private Key Certificates (.pfx)”
  4. Click “Import App Service Certificate”
  5. Click the App Service Certificate (it shows up as expected)
  6. Receive error, “App Service Certificate is not issued.”

Note: The steps above are slightly different than those in the “Certificate Status” page due to changes in the Azure Portal user interface. E.g., “Custom domains and SSL” has been renamed to “TSL/SSL Settings”, and “Certificates” has been renamed to “Private Key Certificates (.pfx)”.

Other Information

As part of troubleshooting this process, I also verified the following:

  1. The certificate is currently marked as expired
  2. “Auto Renew App Service Certificate” is set to “On”
  3. “Manual renewal not allowed at this time… to prevent accidental renewal”
  4. “Rekey is not allowed” since the certificate is not in an issued state
  5. While “Step 3: Assign” reports “Certificate ready to use in App Service”, that step is not checked—presumably because it hasn’t been assigned.

Note: I went through this process last year with this same Subscription, App Service, and App Service Certificate without a problem.

Analysis

The “Step 3: Assign” instructions state “completing all the steps will get the certificate to the Issued state”. It then goes on to say, “An issued App Service certificate may be used on any App Service Web App”. There seems to be a missing step between these, however, as while it reports that “Certificate ready to use in App Service”, the App Service states that the “App Service Certificate is not issued”. How do I get the App Service Certificate to an “Issued” state?

Community
  • 1
  • 1
Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
  • @JoeyCai, I ended up opening a support ticket with Microsoft. Tier 1 support had me simply work around the issue by purchasing a new certificate. As for a long-term solution, they’ve escalated the problem to the product team. It seems there was some bug in the automatic renewal process that left my new certificate in a limbo state. I’ll report back with their findings assuming they’re able to isolate the issue. In the meanwhile, I’ll be monitoring our certificate renewals carefully. – Jeremy Caney Jun 21 '19 at 02:32

1 Answers1

0

The certificate is currently marked as expired, “Auto Renew App Service Certificate” is set to “On”

As you have said, your certification is expired now, and though you turn on the Auto Renew setting, it does not bind the new cert to the WebApps where the cert it is replacing is currently bound to. You need to manually bind the new cert once it available. Here is an article you could refer to renew your certificate.

Also, if you are creating a new app service certificate and get this error, I suggest you delete it and recreate a new one.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • Understood that the auto-renewed certificate isn’t automatically bound. In this case, though, I wasn’t even able to import the certificate because the new certificate was never issued by GoDaddy—a step that is supposed to happen once the domain is validated. – Jeremy Caney Jun 21 '19 at 02:28
  • Do you mind to recreate a certificate? I get the similar error with you and recreate one get works. – Joey Cai Jun 21 '19 at 02:29
  • Joey—yeah, that’s what I ended up having to do. That’s fine as a short term workaround, but doesn’t give me much confidence in the autorenew process, and obviously adds a bit of overhead every time a certificate expires (e.g., having to go through the domain validation process). Hopefully the product team is able to come up with a fix to whatever left this certificate in an orphaned state. – Jeremy Caney Jun 21 '19 at 02:34