Timeout creating new app service managed certificate

Question

Timeout creating new app service managed certificate

Derek Chan 1

I am trying to create a new managed certificate. I have created hundreds of these before and they are all renewing without a problem.

The domain name validates fine, but adding it eventually times out with this error:

Add App Service Managed Certificate

Error adding managed certificate: Pending managed certificate failed: Request Time-out Refer to the documentations for more info: https://go.microsoft.com/fwlink/?linkid=2158627.

I have checked all requirements for creating app service certificates
I have checked and run all validation scripts to ensure it passes the new requirements from 28 July 2025
i have attempted to create using "az webapp config ssl create ... ". This returns "Managed Certificate creation in progress. Please use the command 'az webapp config ssl show ...' to view your certificate once it is created" - but the certificate is never created

Michele Ariis 4,590 Reputation points MVP

2025-08-28T05:32:20.4+00:00

Hi, the “Request Time-out” error when creating the App Service Managed Certificate is almost always caused by a failed domain check. Check that the host points directly to the app with a CNAME → <appname>.azurewebsites.net (no Front Door/Cloudflare/WAF in the middle; on Cloudflare, set “DNS only”), that there are no blocking CAAs or add issue "digicert.com" (and issuewild "digicert.com" if necessary), and that the app is publicly accessible (Access restrictions disabled, no Private Endpoint/“Public network access: Off” during issuance). Delete any Pending/Failed certificates and the domain binding, re-add the domain, and re-issue; if using the CLI, run it and then check the certificate status with az resource show -g <rg> -n "<hostname>" --resource-type Microsoft.Web/certificates (look at provisioningState/statusReason). If you need to run a proxy in front of you, don't use AMSC: use the Front Door/ALB managed certificate or issue via Key Vault/ACME and connect that to the App Service. If it keeps expiring, collect quick evidence (nslookup -type=CAA domain, nslookup host) and open an App Service ticket asking them to requeue the issuance for the host, including subscription/app/area and the certificate status JSON.
Derek Chan 1 Reputation point

2025-08-29T02:55:48.4566667+00:00

@Michele Ariis thanks. the cname points to trafficmanager as it has for all other domains i have created in the past. This is the first domain I have attempted to created post 28 July. All existing domains and this one are "azure endpoints", not "nested" or "external". I ran all the check scripts here and passed them all. https://learn.microsoft.com/en-us/azure/app-service/app-service-managed-certificate-changes-july-2025
Michele Ariis 4,590 Reputation points MVP

2025-08-29T04:41:03+00:00

The “Request Time-out” error when creating the App Service Managed Certificate (AMSC) almost always depends on the fact that your host points via CNAME to Traffic Manager: after the July 2025 changes, certificate validation must reach the App Service on the domain directly (without TM/CDN/WAF) and read /.well-known/pki-validation. Solutions: 1) Quick workaround: delete the faulty certificate, temporarily point the CNAME to <appname>.azurewebsites.net, make sure the site is public (no Access Restrictions/Private Endpoints) and that any CAAs allow digicert.com, recreate the certificate, then re-bind and, if desired, restore TM (knowing that renewal will require a new flip). 2) Recommended solution with TM/multi-region: do not use AMSC behind TM; Terminate TLS on Azure Front Door/Application Gateway with their managed certificate, or bring your own certificate (ACME/Let's Encrypt or DigiCert via Key Vault/automation) and upload it to App Services. Quick checks: no orange proxies (Cloudflare "DNS only"), no redirects that change Host headers, HTTP/80 reachable for DCV. Status/debug: az resource show ... Microsoft.Web/certificates --query "{state:...,reason:...}"

1 answer

Your answer

Michele Ariis 4,590 Reputation points MVP

2025-08-28T05:32:20.4+00:00

Hi, the “Request Time-out” error when creating the App Service Managed Certificate is almost always caused by a failed domain check. Check that the host points directly to the app with a CNAME → <appname>.azurewebsites.net (no Front Door/Cloudflare/WAF in the middle; on Cloudflare, set “DNS only”), that there are no blocking CAAs or add issue "digicert.com" (and issuewild "digicert.com" if necessary), and that the app is publicly accessible (Access restrictions disabled, no Private Endpoint/“Public network access: Off” during issuance). Delete any Pending/Failed certificates and the domain binding, re-add the domain, and re-issue; if using the CLI, run it and then check the certificate status with az resource show -g <rg> -n "<hostname>" --resource-type Microsoft.Web/certificates (look at provisioningState/statusReason). If you need to run a proxy in front of you, don't use AMSC: use the Front Door/ALB managed certificate or issue via Key Vault/ACME and connect that to the App Service. If it keeps expiring, collect quick evidence (nslookup -type=CAA domain, nslookup host) and open an App Service ticket asking them to requeue the issuance for the host, including subscription/app/area and the certificate status JSON.
Derek Chan 1 Reputation point

2025-08-29T02:55:48.4566667+00:00

@Michele Ariis thanks. the cname points to trafficmanager as it has for all other domains i have created in the past. This is the first domain I have attempted to created post 28 July. All existing domains and this one are "azure endpoints", not "nested" or "external". I ran all the check scripts here and passed them all. https://learn.microsoft.com/en-us/azure/app-service/app-service-managed-certificate-changes-july-2025
Michele Ariis 4,590 Reputation points MVP

2025-08-29T04:41:03+00:00

The “Request Time-out” error when creating the App Service Managed Certificate (AMSC) almost always depends on the fact that your host points via CNAME to Traffic Manager: after the July 2025 changes, certificate validation must reach the App Service on the domain directly (without TM/CDN/WAF) and read /.well-known/pki-validation. Solutions: 1) Quick workaround: delete the faulty certificate, temporarily point the CNAME to <appname>.azurewebsites.net, make sure the site is public (no Access Restrictions/Private Endpoints) and that any CAAs allow digicert.com, recreate the certificate, then re-bind and, if desired, restore TM (knowing that renewal will require a new flip). 2) Recommended solution with TM/multi-region: do not use AMSC behind TM; Terminate TLS on Azure Front Door/Application Gateway with their managed certificate, or bring your own certificate (ACME/Let's Encrypt or DigiCert via Key Vault/automation) and upload it to App Services. Quick checks: no orange proxies (Cloudflare "DNS only"), no redirects that change Host headers, HTTP/80 reachable for DCV. Status/debug: az resource show ... Microsoft.Web/certificates --query "{state:...,reason:...}"

Answer 1

Hi Derek,

If you post the domain you are attempting to create managed certificate for in a comment I will run some DNS queries from multiple global points and see if I see anything wrong. Since you have done it so many times there probably isn't anything wrong, but it won't hurt for me to check.

After you attempt to add managed certificate, please see if domain validation token is being created using instructions below.

For example, say you are adding managed certificate for www.yourcustomdomain.com. You start process in Azure portal, then in separate tab you immediately navigate to below link:

https://www.yourcustomdomain.com/.well-known/pki-validation/fileauth.txt

You will get security warning, since certificate hasn't been issued, so click Advanced and then click to continue to site. Every 3 seconds or so, refresh the page. At first, you should receive error similar to below screenshot:

enter image description here

However, if you keep refreshing your browser every few seconds, within a few minutes you should see token appear, which would be similar to below screenshot:

enter image description here

If you keep refreshing the page for 10-15 minutes and token never appears and/or certificate never gets issued, then it means there is an issue and your managed certificate is unlikely to ever get issued.

After the token shows up, if things are working properly your certificate should be issued in about 5-10 minutes. When it is issued if you again browse to above link the token will be replaced by error message since the token is no longer needed and thus removed.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Derek Chan 1 Reputation point

2025-08-29T02:43:57+00:00

thank you, I will try that. screenshot above showing the domain name.
raklo 0 Reputation points

2025-08-29T17:19:06.22+00:00

any progress on that and working solution? I have same issue. Yesterday I could create managed certificates today got timeouts. I have public domain accessible directly (no TM/CDN/WAF) and I see token in .well-known/pki-validation/fileauth.txt.

Share via

Timeout creating new app service managed certificate

1 answer

Your answer