5

I'm trying to host a static website on Azure storage with a custom domain and HTTPS.

I have created a storage account, uploaded my files, and enabled static site hosting. The site works nicely from the <foo>.web.core.windows.net domain provided by Azure.

I have created a CDN endpoint for the site with the origin hostname set to the primary endpoint provided by Azure, added a custom domain for my www subdomain, provisioned a CDN-managed certificate for it, and added a rule to redirect non-HTTPS requests to https://www.<my-domain>.com. This also works well.

Now I want my apex domain to redirect to my www subdomain.

CNAMEs aren't an option, but I have added an alias A record for @ pointing to my CDN endpoint and added the apex domain as a custom domain to the CDN.

Requests to http://<my-domain>.com redirect nicely, but requests to https://<my-domain>.com understandably give a scary SSL_ERROR_BAD_CERT_DOMAIN error. Azure does not support CDN-managed certificate for apex domains:

CDN-managed certificates are not available for root or apex domains. If your Azure CDN custom domain is a root or apex domain, you must use the Bring your own certificate feature.

I don't want to actually host anything on my apex domain—I just want to redirect it to my www subdomain. Manually provisioning (and maintaining) a certificate seems like a lot of overhead.

The domain registrar, GoDaddy, has a "forwarding" feature that did what I want, but I prefer to keep my DNS hosted with Azure.

Is there a way to redirect apex domain HTTPS requests to my www subdomain without manually provisioning a certificate for my apex domain or moving my DNS out of Azure?

Chris
  • 151
  • 5

3 Answers3

1

You could automate certificates for the apex using Let's Encrypt, making the cert part a little more easy to handle.

Other than that, you basically need to host a 301 redirect somewhere that talks both HTTP and HTTPS to get this to work, no shortcut I'm afraid, especially if you're going to be using HSTS. There are some DNS providers that actually support CNAMEs at the apex, but I'd be a bit hesitant trying those out.

Stuggi
  • 3,366
  • 4
  • 17
  • 34
  • This is what I'm hoping to avoid. Is there really nothing in the Azure ecosystem that can help? It seems like quite the oversight considering storage accounts are meant to host static sites (among other things). – Chris Feb 15 '20 at 12:01
  • Sadly that's the workaround that seems to be preferred by most providers. It has to do with the fact that by definition you can't have a CNAME for the root of a DNS zone. – Stuggi Feb 15 '20 at 21:18
0

Edit: Sorry, I didn't read the question properly. I also wanted to avoid the overhead of managing a certificate but I didn't find a way out. You can actually buy SSL certs in Azure, which is actually provisioned by GoDaddy. I wonder if that can auto-renew.

I ended up buying a super cheap 4 years certificate from ssls.com, saved it in Azure Vault and got my Azure CDN to use it for my apex domain (which is set up in Azure DNS using the steps below). My CDN redirects the requests to the apex domain to www subdomain.

You can do this using aliases now.

  1. Go to the DNS Zone
  2. Add a record set
  3. Leave name empty
  4. Choose Type A
  5. Select 'Yes' for Alias record type
  6. Choose the CDN endpoint from the resource dropdown

Then, add your host name (example.com) in the CDN endpoint.

You will need to use a custom SSL in the CDN for the root level domain.

MIWMIB
  • 101
  • 2
  • "You will need to use a custom SSL in the CDN for the root level domain"—that's exactly what I'm trying to _avoid_. – Chris May 04 '20 at 02:27
  • Furthermore, if you re-read my question you'll see that I've already set up an alias record: "I have added an alias `A` record for `@` pointing to my CDN endpoint and added the apex domain as a custom domain to the CDN". – Chris May 04 '20 at 12:29
  • Sorry, I don't think it can be done. I've updated my answer with the approach I took in a similar situation. – MIWMIB Jun 07 '20 at 08:32
0

No you can't receive HTTPS requests unless you have the appropriate SSL certificate.

The redirect happens afterwards.

madacoda
  • 185
  • 7
  • Of course I need a certificate to receive HTTPS requests. That's not what I'm asking. I'm looking for a way to _automatically provision_ such a certificate for my apex domain. – Chris May 04 '20 at 12:30
  • https://github.com/shibayan/keyvault-acmebot – walnut_salami Mar 27 '22 at 17:35