Why does FrontDoor domain validation with certificate always require manual support intervention?

Jason Barnes 1 Reputation point
2021-11-15T18:28:57.947+00:00

It is impossible to add and validate a domain with a certificate using "afdverify" on FrontDoor without Azure Support and DigiCert support reps getting involved. I have an ongoing support email chain between Azure, DigitCert, and myself that spans several days because of the manual steps required for each domain.

Here's an example of what currently occurs:

If you want to use myapp.example.com you need to create a CNAME of afdverify.myapp.example.com pointing to your FrontDoor resource (ex. fd-myapp.azurefd.net).

If you want to create an HTTPS certificate for that domain you will always get stuck at this step:
149502-ss.png

The documentation at the link above says they will automatically email "admin@your-domain-name.com" but this is not the case. Azure Support has discovered that DigitCert will not automatically send an email if the request is for a FQDN (myapp.example.com) and not a root domain.

This was DigitCerts response:

As per the documentation, since the CNAME record is with the afdverify subdomain, domain validation cannot be completed with the CNAME record, and has to be done via the other methods. And due to the account settings, when the order is submitted, the FQDN name "myapp.example.com" was submitted as the validation scope instead of the root domain "example.com", and the domain validation email was not sent automatically.

You will have to have Azure Support look up the "Order ID" and also bring in a DigiCert Support Rep to manually send the email to the correct address. But, this approval will only be for "myapp.example.com" and not for all future subdomains unless you additionally request a root domain validation email be sent.

You might be tempted to by-pass this by trying to add the root domain to FrontDoor from the start to avoid involving support. This would probably work from DigiCert's side but unfortunately Azure FrontDoor does not allow you to enable HTTPS Certificates for root domains.

This seems like a very broken process for a key feature. Is this really the only way to accomplish this?

Edit - I've also created a Feedback Idea here for the team.
https://feedback.azure.com/d365community/idea/ce508655-4346-ec11-a819-0022484bf651

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
627 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. suvasara-MSFT 10,026 Reputation points
    2021-11-16T12:21:23.473+00:00

    @Jason Barnes , Meanwhile I would suggest you create MX records for your subdomain which is nothing but initializing a new mail server for your subdomain for receiving emails. I agree that this process is not the right approach, but it can save a few hours of your valuable time by not waiting for any support till the feature gets loaded.

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.