I have a web app set up in an active/passive configuration in Azure using traffic manager, so two app services in two different regions with TM in front. I have configured the same custom domain on both and want to use Azure App Service Managed Certificates on both as well.
The TM profile is configured using priority mode as I want all traffic to go to the primary app service and only in the event of downtime to go to the secondary.
When I attempt to add the certificate on the second app service I get a message similar to the following:
Hostname not eligible for App Service Managed Certificates creation. Ensure that your domain abc.xyz.com has an active CNAME record which is set to my-secondary-app-service.azurewebsites.net.
With this setup the CNAME has to go to the TM address and doing this allows the custom domain to be configured on all endpoints behind the TM but it only allows a managed cert to be configured on the primary endpoint.
How can I configure a managed certificate on the secondary endpoint without downtime and CNAME changes?
So based on the details in this thread I've come up with a workaround to set this up which doesn't require CNAME changes or downtime but is partly manual in the portal.
Once you have your custom domain name configured on both endpoints, you can use the following section of the script from the link above to create a certificate for the secondary endpoint:
$resourceGroupName = "my-resource-group"
$appServicePlan = Get-AzResource -Name "my-app-service-plan" `
-ResourceGroupName $resourceGroupName `
-ResourceType "Microsoft.Web/serverfarms"
$propertyObject = @{
canonicalName = "mydomain.com"
serverFarmId = $appServicePlan.ResourceId
}
# create the certificate - Azure managed certificate names are usually of the form <domain name>-<app service name>
New-AzResource -Name "my-unique-certificate-name" `
-Location "westus" `
-PropertyObject $propertyObject `
-ResourceGroupName $resourceGroupName `
-ResourceType Microsoft.Web/certificates `
-Force
When the above is complete, you can simply configure the binding from the custom domain name to the certificate created above to complete the process. This is done via the Add Binding option next to the domain name under Custom Domains on the secondary app service.
Note this second step was not possible using the second part of the script from the link above (this failed complaining about missing TXT DNS records - I tried various options none of which worked). It may be possible to add the binding via an ARM template and therefore automate the whole thing - I haven't tried this.