Home / server / Questions / 1003105
In Process
Chris
Asked: 2020-02-15 08:00:20 +0800 CST

Redirect apex domain HTTPS requests without manually provisioning a certificate

  • 772

I'm trying to host a static website on Azure storage with a custom domain and HTTPS.

I have created a storage account, uploaded my files, and enabled static site hosting. The site works nicely from the <foo>.web.core.windows.net domain provided by Azure.

I have created a CDN endpoint for the site with the origin hostname set to the primary endpoint provided by Azure, added a custom domain for my www subdomain, provisioned a CDN-managed certificate for it, and added a rule to redirect non-HTTPS requests to https://www.<my-domain>.com. This also works well.

Now I want my apex domain to redirect to my www subdomain.

CNAMEs aren't an option, but I have added an alias A record for @ pointing to my CDN endpoint and added the apex domain as a custom domain to the CDN.

Requests to http://<my-domain>.com redirect nicely, but requests to https://<my-domain>.com understandably give a scary SSL_ERROR_BAD_CERT_DOMAIN error. Azure does not support CDN-managed certificate for apex domains:

CDN-managed certificates are not available for root or apex domains. If your Azure CDN custom domain is a root or apex domain, you must use the Bring your own certificate feature.

I don't want to actually host anything on my apex domain—I just want to redirect it to my www subdomain. Manually provisioning (and maintaining) a certificate seems like a lot of overhead.

The domain registrar, GoDaddy, has a "forwarding" feature that did what I want, but I prefer to keep my DNS hosted with Azure.

Is there a way to redirect apex domain HTTPS requests to my www subdomain without manually provisioning a certificate for my apex domain or moving my DNS out of Azure?

azure azure-dns cdn azure-storage

3 Answers

  1. You could automate certificates for the apex using Let's Encrypt, making the cert part a little more easy to handle.

    Other than that, you basically need to host a 301 redirect somewhere that talks both HTTP and HTTPS to get this to work, no shortcut I'm afraid, especially if you're going to be using HSTS. There are some DNS providers that actually support CNAMEs at the apex, but I'd be a bit hesitant trying those out.

    • 1

  2. Edit: Sorry, I didn't read the question properly. I also wanted to avoid the overhead of managing a certificate but I didn't find a way out. You can actually buy SSL certs in Azure, which is actually provisioned by GoDaddy. I wonder if that can auto-renew.

    I ended up buying a super cheap 4 years certificate from ssls.com, saved it in Azure Vault and got my Azure CDN to use it for my apex domain (which is set up in Azure DNS using the steps below). My CDN redirects the requests to the apex domain to www subdomain.

    You can do this using aliases now.

    1. Go to the DNS Zone
    2. Add a record set
    3. Leave name empty
    4. Choose Type A
    5. Select 'Yes' for Alias record type
    6. Choose the CDN endpoint from the resource dropdown

    Then, add your host name (example.com) in the CDN endpoint.

    You will need to use a custom SSL in the CDN for the root level domain.

    • 0

  3. No you can't receive HTTPS requests unless you have the appropriate SSL certificate.

    The redirect happens afterwards.

    • 0