12

I'm trying to use the recently announced (in preview) managed certificates for Azure app service. One of the limitations is that you can't get one for naked domains. eg.: you can get one for www.domain.com, but not domain.com.

In my (current) web.config, I'm redirecting from 'naked' to 'www' anyway using rewrite rules, so beeing limited to 'www' is not a real problem. However, as the redirect takes place at the web.config level, that is, after the request has hit the webserver, this is too late: when 'domain.com' gets hit and tries to redirect, the browser has already seen the insecure connection to the naked domain (depending on browser) will display a warning page.

So how is one supposed to do deal with the "naked" domains? No more redirects at all? Or are there other methods to do this besides web.config configurations? I did look, but did not find anything.

Luis Cadena
  • 102
  • 1
  • 2
  • 15
Thomas Woelfer
  • 533
  • 5
  • 21

4 Answers4

4

Adding to Jack's suggestions.

Currently, the preview offering only supports CNAME based validation. Thanks for the feedback and it is on our list of future improvements to consider however we do not have any ETA on this yet. So, request you to up-vote this feedback post on Uservoice- https://feedback.azure.com/forums/169385-web-apps/suggestions/38981932-add-naked-domain-support-to-app-service-managed-ce

Alternatively, you may try to forward apex domains to subdomain such as www.

So based on your requirement, to redirect - https://yourdomain.com -> https://www.yourdomain.com

If you are using App Service Domain, you can forward your domain by going to 'Advanced Management portal' of the domain resource.

Advance Management Portal

Forwarding Domains

Forward to domain

AjayKumar
  • 2,812
  • 1
  • 9
  • 28
  • I'm unable to find the UI shown in the second and third pictures. The Advanced Management portal link redirects me to https://dcc.secureserver.net/domains – Matthew Steven Monkan Jul 10 '20 at 04:24
  • OK, I found it, there is a toggle next to the search bar on the domain list for simple view and Advanced view. Need to choose the rightmost icon for Advanced to show the extra toolbar in the 2nd pic – Matthew Steven Monkan Jul 10 '20 at 04:28
4

So, after a long time, Azure finally supports this. One can simply use a managed cert for naked domains.

See here: https://azure.github.io/AppService/2021/03/02/asmc-apex-domain.html

Thomas Woelfer
  • 533
  • 5
  • 21
2

In this scenario, I think a redirect is necessary.

We can get some clues from other international websites. For example: when I try to access http://google.com, actually I will get a 301 redirect which redirects me to http://www.google.com, and then I will get a 302 redirect which redirects me to https://www.google.com/?gws_rd=ssl

enter image description here

So, as managed certificate does not support naked domain. I suggest you directly add your www subdomain to your web app. And then create managed certificate to that www subdomain.

And, finally, you can add 301 and 302 redirect rules in your DNS provider, which will ensure all requests to naked domain will be redirected to www subdomain. This could be done in your DNS provider before your web app.

Jack Jia
  • 5,268
  • 1
  • 12
  • 14
1

So after some time trying things, here's how i ended up dealing with this: - Using managed domain certificates for all hostname.Domain.tld names - Using the letsencrypt script (from extensions) to get a cert for the naked domain

Once azure will provide certs for the naked domain, i will retire the script.

Thomas Woelfer
  • 533
  • 5
  • 21