diff --git a/modules/dns/root/main.tf b/modules/dns/root/main.tf
index 677e763..2040337 100644
--- a/modules/dns/root/main.tf
+++ b/modules/dns/root/main.tf
@@ -17,12 +17,3 @@ resource "azurerm_dns_a_record" "old_a" {
   ttl                 = 300
   records             = ["130.233.48.30"]
 }
-
-# CNAME record for www.
-resource "azurerm_dns_cname_record" "www_cname" {
-  name                = "www"
-  resource_group_name = azurerm_resource_group.dns_rg.name
-  zone_name           = azurerm_dns_zone.root_zone.name
-  ttl                 = 300
-  record              = azurerm_dns_zone.root_zone.name
-}
diff --git a/modules/web/main.tf b/modules/web/main.tf
index 4ce8016..7ded153 100644
--- a/modules/web/main.tf
+++ b/modules/web/main.tf
@@ -136,6 +136,15 @@ resource "azurerm_linux_web_app" "cms" {
 }
 
 
+# CNAME record for www.
+resource "azurerm_dns_cname_record" "www_cname" {
+  name                = "www"
+  resource_group_name = var.dns_resource_group_name
+  zone_name           = var.root_zone_name
+  ttl                 = 300
+  record              = azurerm_linux_web_app.web.default_hostname
+}
+
 resource "azurerm_app_service_custom_hostname_binding" "tikweb_hostname_binding" {
   hostname            = local.fqdn
   app_service_name    = azurerm_linux_web_app.web.name
@@ -149,6 +158,27 @@ resource "azurerm_app_service_custom_hostname_binding" "tikweb_hostname_binding"
     azurerm_dns_txt_record.tikweb_asuid
   ]
 }
+resource "azurerm_app_service_custom_hostname_binding" "www_hostname_binding" {
+  hostname            = "www.${local.fqdn}"
+  app_service_name    = azurerm_linux_web_app.web.name
+  resource_group_name = var.resource_group_name
+  depends_on = [
+    azurerm_dns_a_record.tikweb_a,
+    azurerm_dns_txt_record.tikweb_asuid_www
+  ]
+
+}
+
+resource "azurerm_app_service_managed_certificate" "www_cert" {
+  custom_hostname_binding_id = azurerm_app_service_custom_hostname_binding.www_hostname_binding.id
+}
+
+resource "azurerm_app_service_certificate_binding" "www_cert_binding" {
+  hostname_binding_id = azurerm_app_service_custom_hostname_binding.www_hostname_binding.id
+  certificate_id      = azurerm_app_service_managed_certificate.www_cert.id
+  ssl_state           = "SniEnabled"
+}
+
 resource "random_password" "tikweb_cert_password" {
   length  = 48
   special = false