Unable to create a Managed Certificate for a public Container App and fails without any error or stack trace

Question

Unable to create a Managed Certificate for a public Container App and fails without any error or stack trace

Lars Gjestang 5

We received an email from Microsoft regards the new limitations for creating or renewing managed certificates. However, already 2 weeks ago this change seems to have affected both us and our customers (using the same application from Marketplace) and results in failure when trying to add a custom domain.

This is the Ingress for the Container App that needs to be mapped with a custom domain:

User's image

(FYI: The default is Transport=HTTP/1 and Insecure connection=Not allowed but the screenshot was just one of the tests after the defaults failed)

When following the guide to add a custom domain ("Managed Certificate", Subdomain, Adding CNAME and TXT to DNS provider) - the same method we have used on many clients upon now without issues - will succesfully validate the DNS records but no longer be able to create a managed certificated (which typically took 1-2 minutes before the changes in July). Checking the certificate status had the Certificate status "Pending" for over an hour
User's image

And after 1,5-2 hours the status changed to "Failed":

User's image

From all the threads and blog posts from Microsoft regards to the certificate updates we can't find any reason why this suddenly won't work anymore. In "actvity log" I am just getting a long list of "Read Managed Certificate in Managed Environment" with status "Running" - example:

"correlationId": "0ddb1cf5-6a58-444e-b2a5-09edc0d32ca7"

And here is the Corr Id, stilling with status "Running" even after the main status is "Failed":

"correlationId": "4e7ee1f0-934b-43d9-a3cc-3b9fbf40a67c"

Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-29T13:47:12.11+00:00
Hello Lars Gjestang •,

The problem with Managed Certificate creation failing for your Azure Container App.

Here are a few things you can check to help troubleshoot this:

DNS Configuration: Please verify that your DNS records are configured correctly:

For apex domains (such as example.com): An A record should point to the IP address of your Container Apps environment.

For subdomains (such as www.example.com): A CNAME record should point directly to your container app’s generated domain name (for example, myapp.azurecontainerapps.io) rather than to any other CNAME values.

Ingress Configuration: Make sure that HTTP ingress is enabled for your container app. The application must be publicly accessible for the managed certificate to be generated.

Validation Method: When adding a custom domain, please confirm that you are selecting the appropriate validation method—either HTTP or CNAME—according to your DNS configuration.

Ensure all necessary conditions for managed certificates are continuously satisfied during issuance. Modifications to DNS or ingress settings may affect the certificate status.

Review Activity Logs: Observing "Running" statuses in your activity log may indicate that a process is stalled. It is advisable to verify that the setup is correct and then attempt to re-initiate the process.
Lars Gjestang 5 Reputation points

2025-07-30T05:56:44.2833333+00:00
@Krishna Chowdary Paricharla

It's in the description - I used CNAME. I have verified the DNS configuration.

It's in the description - see it's enabled in the screenshot

See 1) and in the description - I use CNAME

As I wrote in the end of the description - I have seen all the blogs/updates regards to this and can't find any reason why it fails. It's public, doesn't use trafficmanager.net, no IP restrictions.

I have done the setup several times and I get the same result every time
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-30T09:00:44.64+00:00

Hello Lars Gjestang •,

Could you please check the private message and provide the required details for troubleshooting the issue further.

Here is the reference link on how to access & data retention policy of private messages in Microsoft Q&A.
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-31T14:17:32.34+00:00

Hello Lars Gjestang •,

Just checking in to see if you've had a chance to review my previous response. Let me know if you have any additional questions.
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-08-04T17:58:13.6633333+00:00

Hello Lars Gjestang •,
I wanted to follow up to see if you’ve had an opportunity to look over my earlier response. Please let me know if you have any further questions.
Lars Gjestang 5 Reputation points

2025-08-05T08:48:45.6533333+00:00

Sorry for not following up the private message (I didn't find it at first) and we already got a consultant from MS in another ticket)
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-08-05T18:03:55.3733333+00:00

Hello Lars Gjestang •,

As outlined in the documentation: https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-managed-certificates?pivots=azure-portal#free-certificate-requirements

The container must be publicly accessible. In your setup, only HTTPS was enabled, so only port 443 was open in the Network Security Group. However, port 80 also needs to be open to create a managed certificate. Adjusting the Network Security Rules to allow traffic on port 80 resolved the issue.

Please consider clicking "Accept the answer" to help others in the community who may have similar questions. Thank you for your participation!
Lars Gjestang 5 Reputation points

2025-08-06T09:35:03.69+00:00
Please point me to where the "port 80" is specified in the documentation. I can only find the requirement to have "HTTP Ingress" enabled which is later described with the following steps:

Set HTTP Ingress to Enabled.

Select the desired Ingress traffic setting.

I do not find any information that port 80 is required for MC creation

1 answer

Your answer

Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-29T13:47:12.11+00:00

Hello Lars Gjestang •,

The problem with Managed Certificate creation failing for your Azure Container App.

Here are a few things you can check to help troubleshoot this:

DNS Configuration: Please verify that your DNS records are configured correctly:

For apex domains (such as example.com): An A record should point to the IP address of your Container Apps environment.

For subdomains (such as www.example.com): A CNAME record should point directly to your container app’s generated domain name (for example, myapp.azurecontainerapps.io) rather than to any other CNAME values.

Ingress Configuration: Make sure that HTTP ingress is enabled for your container app. The application must be publicly accessible for the managed certificate to be generated.

Validation Method: When adding a custom domain, please confirm that you are selecting the appropriate validation method—either HTTP or CNAME—according to your DNS configuration.

Ensure all necessary conditions for managed certificates are continuously satisfied during issuance. Modifications to DNS or ingress settings may affect the certificate status.

Review Activity Logs: Observing "Running" statuses in your activity log may indicate that a process is stalled. It is advisable to verify that the setup is correct and then attempt to re-initiate the process.
Lars Gjestang 5 Reputation points

2025-07-30T05:56:44.2833333+00:00

@Krishna Chowdary Paricharla

It's in the description - I used CNAME. I have verified the DNS configuration.

It's in the description - see it's enabled in the screenshot

See 1) and in the description - I use CNAME

As I wrote in the end of the description - I have seen all the blogs/updates regards to this and can't find any reason why it fails. It's public, doesn't use trafficmanager.net, no IP restrictions.

I have done the setup several times and I get the same result every time
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-30T09:00:44.64+00:00

Hello Lars Gjestang •,

Could you please check the private message and provide the required details for troubleshooting the issue further.

Here is the reference link on how to access & data retention policy of private messages in Microsoft Q&A.
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-07-31T14:17:32.34+00:00

Hello Lars Gjestang •,

Just checking in to see if you've had a chance to review my previous response. Let me know if you have any additional questions.
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-08-04T17:58:13.6633333+00:00

Hello Lars Gjestang •,
I wanted to follow up to see if you’ve had an opportunity to look over my earlier response. Please let me know if you have any further questions.
Lars Gjestang 5 Reputation points

2025-08-05T08:48:45.6533333+00:00

Sorry for not following up the private message (I didn't find it at first) and we already got a consultant from MS in another ticket)
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator

2025-08-05T18:03:55.3733333+00:00

Hello Lars Gjestang •,

As outlined in the documentation: https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-managed-certificates?pivots=azure-portal#free-certificate-requirements

The container must be publicly accessible. In your setup, only HTTPS was enabled, so only port 443 was open in the Network Security Group. However, port 80 also needs to be open to create a managed certificate. Adjusting the Network Security Rules to allow traffic on port 80 resolved the issue.

Please consider clicking "Accept the answer" to help others in the community who may have similar questions. Thank you for your participation!
Lars Gjestang 5 Reputation points

2025-08-06T09:35:03.69+00:00

Please point me to where the "port 80" is specified in the documentation. I can only find the requirement to have "HTTP Ingress" enabled which is later described with the following steps:

Set HTTP Ingress to Enabled.

Select the desired Ingress traffic setting.

I do not find any information that port 80 is required for MC creation

Answer 1

Another colleague opened a support ticket with Microsoft Team about same topic but we identified the issue ourself after some troubleshooting.

To answer this thread:
The Container App is Public (Ingress:Enabled, Traffic:Accept from Anywhere, IP Restrictions: Allow ALL). However it is part of a Container App Environment that was using a Network Security Group which limited the external access to ports that weren't specified to be opened. For the Managed Certificate to work it needs to ping with a HTTP (port 80) request. Once that was enabled the certificate was created within a few minutes and rest of application worked fine using Network Security Group.

We found the Blog post and requirements from Microsoft to quite vague and should be improved to include this requirement.

Share via

Unable to create a Managed Certificate for a public Container App and fails without any error or stack trace

1 answer

Your answer