Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
Unable to issue managed certificates for custom domain of container app
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 42%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Davide Costa
0
Reputation points
I am trying to issue a managed certificate for a custom domain on a container app.
The container app has an active HTTP ingress that accepts traffic from anywhere with no restrictions.
I added CNAME and TXT records in the DNS and the domain validation passes:
"Hostname eligible for Managed Certificate creation. Please note that it might take up to 10 minutes for Managed Certificate to be issued."
When I add the certificate, it stays in "provisioningState": "Pending" for more than 1 hour and then fails with "error": "Operation timed out.", "provisioningState": "Failed".
The same custom domain worked fine before.
This initially happened when I triggered a cloud deployment pipeline which didn't apply changes to the cloud infrastructure.
Could it be related to the: "Upcoming Policy Updates Impacting Azure Container Apps Managed Certificates Effective 15 August 2025"?
I am also unable to delete the custom domain with no binding:
az containerapp hostname delete --hostname <domain> --name <container-app-name> --resource-group <resource-group> --subscription <subscription-id> --yes
(CertificateMissing) CertificateId property is missing for customDomain '<domain>'.
Azure Container Apps
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 54%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Harish Badijana 20 Reputation points Microsoft External Staff Moderator2025-08-14T13:34:55.71+00:00 @Davide Costa we understand that you are facing an issue where a managed certificate for a custom domain on an Azure Container App fails, remaining in "provisioningState": "Pending" before timing out with "error": "Operation timed out."—despite successful domain validation. s Impacting Azure Container Apps Managed Certificates Effective 15 August 2025."
Multiple users have reported that managed certificate provisioning began failing weeks before the official policy enforcement date. The failures appear to be silent, with no clear error messaging beyond timeout and missing certificate bindings.
While DNS validation (CNAME and TXT records) passes, the certificate fails to issue.
This suggests that the issue is not DNS-related, but rather tied to internal policy enforcement or infrastructure changes.
The error (CertificateMissing) CertificateId property is missing for customDomain indicates that the domain is registered but lacks a valid certificate binding.
This is consistent with failed provisioning attempts and may require manual cleanup via Azure Portal or support escalation.
Review the official documentation and announcements for the August 15 policy update
Delete the custom domain via Azure Portal if CLI fails. Ensure no residual bindings or failed certificate objects exist.
If deletion or provisioning continues to fail, raise a support ticket with correlation ID and resource details.
Reference known issues and policy updates to expedite resolution.
As a workaround, you can manually upload a certificate and bind it using:
az containerapp hostname bind --certificate-id <cert-id> ...
This bypasses managed certificate provisioning but requires you to handle renewal.
I hope this helps in resolving the issue, do let me know if you have any further questions on this
Sign in to comment
Sign in to answer