Azure Static Web App Certificate Renewal Failing to Verify External Provider (Cloudflare DNS)

Question

Azure Static Web App Certificate Renewal Failing to Verify External Provider (Cloudflare DNS)

Daniel-4204 105

Cloudflare is currently both our domain registrar and DNS provider for several domains used as custom subdomains with Azure Static Web Apps.

About one year ago, we configured 3 Azure Static Web Apps to use custom domains.

Based on Microsoft’s documentation, Azure is supposed to automatically renew SSL certificates annually by verifying domain ownership typically through checking the existing CNAME record.

As of today, two of the custom domains are no longer working due to expired certificates in our development environment. The certificate for our production environment is set to expire on August 10, so we’re hoping to resolve this before that date to avoid a service disruption.

I’ve seen other users report similar issues, and some mentioned that Microsoft support advised them privately to add the following CAA records to allow Azure (via DigiCert) to issue certificates:

@ 0 issue "digicert.com"

and another

@ 0 issuewild "digicert.com"

But there was no update on that thread to as if that worked.

These records have been added to the domain's DNS, but so far, domain verification has not succeeded. I still suspect that the issue may be caused by the CNAME record being proxied through Cloudflare, which could be preventing Azure from validating the domain ownership required for certificate renewal. That said, this is only an assumption.

We would prefer not to use Azure Front Door or switch to manual certificate management unless absolutely necessary.

Can you confirm whether Cloudflare’s proxying or automated CAA injection could be interfering with certificate renewal by Azure? And is there a recommended solution that allows us to continue using Cloudflare DNS and Azure Static Web Apps without needing Azure Front Door?

What must be done in order for Azure to be able to verify domain ownership of an existing custom domain instead of deleting the custom domain in Azure and re-adding (which can take days to verify when starting over) I have seen.

Is the solution for now, to delete the custom domain and re-add using TXT record, then proceed with CNAME record after validation. If so, will TXT record value given stay valid long term for future annual domain verifications so that certificate renwal wont fail? How can we make this sustainable to void this downtime?

Daniel-4204 105 Reputation points

2025-08-07T22:53:24.7966667+00:00

Update: For the two custom domains with expired certificates above, I removed and re-added the custom domains using TXT record verification to get them working again.

However, I still need clarity on how to handle the third custom domain, which is set to expire on 2025-08-10 18:59:59 with out reacting to an issue, or without taking it offline for "planned downtime" to trigger a renewal when it should be automatic.

I was hoping a manual re-verification process wasn't required every year. Additionally, I noticed the newly issued certificates expire on 2026-02-07 17:59:59, which is 6 months from now, unlike the original certificates that were valid for a full year.

Thanks,
Siva Nair 345 Reputation points Microsoft External Staff Moderator

2025-08-08T00:34:15.87+00:00
Hi Daniel-4204,

Glad that you made it working. As per your further queries.

Azure Static Web Apps now issue six-month certificates instead of one-year ones. This change aligns with industry-wide security practices, especially from certificate authorities like DigiCert and Let's Encrypt, which are moving toward shorter certificate lifespans to:

Reduce the risk of compromised keys being exploited.

Encourage automation and frequent validation.

Improve overall certificate hygiene and resilience

Azure renews these certificates 45 days before expiration, assuming domain ownership can be verified.

Yes, automatic renewal is possible, but only if:

The original DNS setup (CNAME or TXT record used during initial verification) remains unchanged.

The domain is publicly resolvable and not behind a proxy (like Cloudflare’s orange cloud).

The endpoint .well-known/pki-validation/fileauth.txt is accessible for DigiCert to validate ownership

If any of these fail, Azure cannot renew the certificate and may eventually remove the domain binding.

What You Can Do for the Third Domain (Expiring August 10)

To avoid downtime or manual re-verification:

Temporarily Disable Cloudflare Proxy

Set the CNAME record to DNS-only (gray cloud).

This allows Azure to verify ownership and renew the certificate.

Ensure TXT Record Is Present

If you originally verified using a TXT record, leave it in place.

This helps Azure revalidate ownership even if CNAME fails.

Check Accessibility of Validation Endpoint

Make sure https://yourdomain.com/.well-known/pki-validation/fileauth.txt is not blocked by Cloudflare or other security layers.

Monitor Certificate Status

Use Azure CLI or portal to check certificate status and renewal progress.

You can also set up alerts for certificate expiration.

Note - The first step would be to use KeyVault to store certificates which consuming services poll for updates. Then you would need a way to update the certificates in advance to ensure the latest are picked up by the downstream services.

KeyVault supports renewal of certificates as well for partnered CAs. For others, you could build a workflow to trigger on certificate expiry KeyVault Events and update certificates well in advance.

If you are using Let's Encrypt for your certificates, you could use a solution like keyvault-acmebot to handle things for you.
Daniel-4204 105 Reputation points

2025-08-08T02:01:23.6366667+00:00

@Siva Nair Thanks, 1 and 2 is very helpful confirmation. When our custom domains where added and binded, it was with the CNAME verification only for the Static Webapp. There was no TXT (though it may have been an available option at the time, I do not know). Based on your explaination and me resolving the 2 dev domains earlier this evening, I believe this TXT record will need to remain in the DNS Records going forward along with not enabling CF Proxy for CNAME record as you described.

**Regarding Tip Number 3 you gave: Check Accessibility of Validation Endpoint. (**Make sure https://yourdomain.com/.well-known/pki-validation/fileauth.txt is not blocked by Cloudflare or other security layers.) I am not familar with this and will need to research it further. Do you have any Microsoft Documention that references this related to Static WebApps?

Tip Number 4: This could be helpul to consider for future scenarios, though I am not sure this applies to our current situation since we do not have any control over certificates in Static WebApps where an External DNS provider is used like CloudFlare (but I do not know everything, so there may be more to that in another part of the Azure Portal). We are using our own certificates with "regular" non static Azure WebApps though, so the tip regarding keyvault looks like something to adopt.

Final thoughts:
Thank you again, I will meet with the team tomorrow to explain the options and plan a short downtime for Prod so that I can remove the Static WebApps custom domain and re-validate with TXT record method to get a renewed cert and monitor for renewal 45 days before expiration.

1 answer

Your answer

Daniel-4204 105 Reputation points

2025-08-07T22:53:24.7966667+00:00

Update: For the two custom domains with expired certificates above, I removed and re-added the custom domains using TXT record verification to get them working again.

However, I still need clarity on how to handle the third custom domain, which is set to expire on 2025-08-10 18:59:59 with out reacting to an issue, or without taking it offline for "planned downtime" to trigger a renewal when it should be automatic.

I was hoping a manual re-verification process wasn't required every year. Additionally, I noticed the newly issued certificates expire on 2026-02-07 17:59:59, which is 6 months from now, unlike the original certificates that were valid for a full year.

Thanks,
Daniel-4204 105 Reputation points

2025-08-08T02:01:23.6366667+00:00

@Siva Nair Thanks, 1 and 2 is very helpful confirmation. When our custom domains where added and binded, it was with the CNAME verification only for the Static Webapp. There was no TXT (though it may have been an available option at the time, I do not know). Based on your explaination and me resolving the 2 dev domains earlier this evening, I believe this TXT record will need to remain in the DNS Records going forward along with not enabling CF Proxy for CNAME record as you described.

**Regarding Tip Number 3 you gave: Check Accessibility of Validation Endpoint. (**Make sure https://yourdomain.com/.well-known/pki-validation/fileauth.txt is not blocked by Cloudflare or other security layers.) I am not familar with this and will need to research it further. Do you have any Microsoft Documention that references this related to Static WebApps?

Tip Number 4: This could be helpul to consider for future scenarios, though I am not sure this applies to our current situation since we do not have any control over certificates in Static WebApps where an External DNS provider is used like CloudFlare (but I do not know everything, so there may be more to that in another part of the Azure Portal). We are using our own certificates with "regular" non static Azure WebApps though, so the tip regarding keyvault looks like something to adopt.

Final thoughts:
Thank you again, I will meet with the team tomorrow to explain the options and plan a short downtime for Prod so that I can remove the Static WebApps custom domain and re-validate with TXT record method to get a renewed cert and monitor for renewal 45 days before expiration.

Answer 1

Hi Daniel-4204

Glad the first two points were helpful. Let me address your follow-up questions and give you a plan that will work reliably going forward.

About the /.well-known/pki-validation/fileauth.txt endpoint

This path is part of DigiCert’s HTTP-based domain validation process. When Azure Static Web Apps requests a certificate from DigiCert, DigiCert may try to confirm domain ownership by checking this file.
If the domain is proxied through Cloudflare or has security rules blocking that path, DigiCert cannot reach it, and renewal fails.
Microsoft does not document this file path specifically for Static Web Apps, but they do confirm that domain ownership validation is handled through CNAME, TXT, or HTTP checks as part of the binding process: doc- https://learn.microsoft.com/en-us/azure/static-web-apps/custom-domain?tabs=azure-dns#custom-domain-validation

Why you’ve had failures and how to fix it permanently

Your domains were originally bound using CNAME only (proxied via Cloudflare), so when Azure tries to re-verify at renewal, it cannot see the underlying Azure hostname.
If there’s no permanent TXT record in DNS for that domain, Azure has no alternate validation path and renewal fails.

Long-Term Solution (No Annual Downtime)

One-time setup:

Remove and re-add each domain via TXT verification in Azure Static Web Apps:
- In the Azure Portal, go to your Static Web App → Custom domains → Add.
- Choose the TXT record verification option.
- Add the TXT record exactly as Azure provides to your DNS in Cloudflare.
- Once verified, keep the TXT record in DNS permanently.
Keep your Cloudflare proxy ON if you want, but ensure:
- CAA records for digicert.com are present (you’ve already done this).
- The TXT verification record is never removed, even after future renewals.
Optional: If you want HTTP validation to work as a fallback, create a Cloudflare Page Rule or Firewall Rule to allow public access to: https://<yourdomain>/.well-known/pki-validation/fileauth.txt without blocking or redirecting it.

Siva Nair 345 Reputation points Microsoft External Staff Moderator

2025-08-11T16:57:39.6333333+00:00

Hi Daniel-4204,

Glad that you find the above response helpful, i would request you to please accept answer, so that others who has similar issue get help from it.

Thanks

best wishes!

Share via

Azure Static Web App Certificate Renewal Failing to Verify External Provider (Cloudflare DNS)

1 answer

Your answer