az webapp config ssl create - Doesn't support child DNS zone

[thasimongyldendal]

Describe the bug

I have the following DNS setup:

1. a main DNS zone for my domain, example.com
2. A child zone for the main DNS zone: qa.example.com

I create an A record in the child zone - @ and then the IP of the webapp, aswell as the asuid txt record for domain validation.

When running;

az webapp config ssl create --resource-group myresourcegroup --name mywebapp --hostname qa.example.com

It fails with:
Properties.CanonicalName is invalid. Not found CNAME directly pointing to *.azurewebsites.net. Current CNAME record of the hostname qa.example.com is empty.

It should be possible to specify the validation method, so that you can specify ARecord. This is currently possible in azure container apps with az containerapp hostname bind

Related command

az webapp config ssl create

Errors

Sensitive information removed (removed the child DNS zone with example.com):

{
    "Code": "BadRequest",
    "Message": "Properties.CanonicalName is invalid.  Not found CNAME directly pointing to *.azurewebsites.net. Current CNAME record of the hostname qa.example.com is empty.",
    "Target": null,
    "Details": [
        {
            "Message": "Properties.CanonicalName is invalid.  Not found CNAME directly pointing to *.azurewebsites.net. Current CNAME record of the hostname qa.example.com is empty."
        },
        {
            "Code": "BadRequest"
        },
        {
            "ErrorEntity": {
                "ExtendedCode": "51021",
                "MessageTemplate": "{0} is invalid.  {1}",
                "Parameters": [
                    "Properties.CanonicalName",
                    "Not found CNAME directly pointing to *.azurewebsites.net. Current CNAME record of the hostname qa.example.com is empty."
                ],
                "Code": "BadRequest",
                "Message": "Properties.CanonicalName is invalid.  Not found CNAME directly pointing to *.azurewebsites.net. Current CNAME record of the hostname qa.example.com is empty."
            }
        }
    ],
    "Innererror": null
}

Issue script & Debug output

I think it's not needed.

Expected behavior

As an ARecord is defined in the child DNS zone, it should be able to validate and bind the certifcate. It defaults to cname, which seems incorrect.

Environment Summary

azure-cli 2.65.0

core 2.65.0
telemetry 1.1.0

Extensions:
account 0.2.5

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @calvinsID.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

[andrem0]

same problem here

[thasimongyldendal]

Workaround for now;

$resourceGroup = 'yourResourceGroup'
$dnsZone = "qa.example.com"
$subscriptionId = 'yourSubscription'
$plan = 'yourPlan'
$location = 'yourLocation'
$certificateCreationRequest = @{
    name=$dnsZone;
    location=$location;
    properties= @{
        canonicalName = $dnsZone;
        domainValidationMethod = 'http-token';
        serverFarmId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Web/serverfarms/$plan"
    }
}
$url = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Web/certificates/${dnsZone}?api-version=2023-12-01"

$json = ($certificateCreationRequest | ConvertTo-Json -Compress) -replace '"', '\"'
az rest --method PUT --url $url --body $json

This allows me to create the certificate and bind it without cname validation being forced. This is NOT possible in the portal or with az cli directly. Most likely I will use bicep to create the certificate instead of az cli, but hopefully you can allow us to override the domainValidationMethod in the command.