Contents

Configure HTTPS on a Custom Domain in Azure CDN

Contents

This article is not meant to explain to you all the process to configure HTTPS on an Azure CDN custom domain because you can get all this information in this tutorial provided by Microsoft.

The main goal of this article is to share an experience while trying to configure it, and when things do not go in the way you expect.

Context

First of all, in case you are planning to do this configuration process, or if you want to be aware of it, I would invite you to read this tutorial, so you can understand the rest of this article.

As the tutorial says, when you request to enable HTTPS to a given custom domain on your Azure CDN endpoint, there is a validation process that will be performed to ensure the ownership of that custom domain.

If the custom domain is a new domain, then you can create a CNAME record, in your DNS provider, that maps the custom domain to the CDN endpoint’s hostname. Then the validation will be performed automatically by DigitCert.

If the custom domain is being used in a Live application, then you need to use a different approach, creating a CNAME record that maps your custom domain and the CDN endpoint, but with the inclusion of the keyword cdnverify. And in this scenario, DigitCert will query WHOIS the registrant information of the custom domain, to send an email asking to approve the validation request. If the registrant information is private, it sends an email to one of the following emails:

  • admin@<your-domain-name.com>
  • administrator@<your-domain-name.com>
  • webmaster@<your-domain-name.com>
  • hostmaster@<your-domain-name.com>
  • postmaster@<your-domain-name.com>


Problem

So, the problem comes when the registrant information is not available, because the DNS provider does not provide this information at all or because you are using WhoisGuard in your domain. In case the registrant information is not available, Azure will try to send the email to any of the options mentioned above. So, in case you don’t have any of those emails (e.g. you use a global user support email for all your websites - support@<company>.com), then you will not have a way to automatically validate the domain ownership, without contacting the Azure Support team.

Solution

In this case, the option you have available is to contact the Microsoft Support team and request support to finish the validation process. This can be a time-consuming process (took me 1-2 weeks to finalize) since it requires collaboration between Azure Support team and DigiCert Support team.

At the end, i had to create TXT records in my DNS provider, associate these records to the custom domain, so DigiCert could verify the ownership of the domain.

I hope this article helps you save some time, in case you face the same issue.