Setting Up a Root Domain with Azure DNS

August 30, 2019

When setting up Azure CDN, you may want to use a naked domain (yourdomain.com) to access. It’s a little tricky, so here’s how I set it up:

Creation and Verification

Create the CDN profile and endpoint in Azure.

Next set up a custom domain:

To do this, you’ll need to modify the value highlighted as a CNAME record for your domain’s DNS. It will look like this:

Host: cdnverify.
Value: cdnverify..azureedge.net

Setting up SSL and HTTPS Redirect

With the domain working, you’ll notice that you only have an insecure connection in place, so let’s set that up.

One of the disadvantages of using a root domain is that you cannot use the Azure CDN self-generated certificates. This means you’ll have to bring your own certificate in. There are three options immediately available:

Purchase a certificiate from Azure (easy and reliable but starts at ~$70)
Purchase a certificate from a reputable CA (Such as from Namecheap, can purchase a cert as low as ~$8 a year, although these certs are not as secure).
Use the manual process at Let’s Encrypt to generate a certificate (free, but will need to be renewed regularly).

Obtaining a Let’s Encrypt Certificate Using Windows

To use the manual process, you’ll need to start with the following:

Install WSL (Ubuntu 18.04) onto your computer, and open a CLI.

Install certbot with the following commands:

And then run certbot in manual mode:

sudo certbot certonly --manual --preferred-challenges dns-01

You’ll need to create a TXT record with the data provided from certbot. After creating the TXT record, use https://dnschecker.org to verify the TXT record has been resolved before progressing (may take 5-10 minutes).

Once you’ve verified (and deleted the TXT record generated), you’ll have a certificate generated with both a certificate and private key.

Next, you’ll add these to an Azure Key Vault to finish setting up HTTPS.

Adding Certificate to Key Vault, Configuring Certificate

To add the certificate to the keyvault, you need to first convert it to PFX (using WSL):

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert.pfx -passout pass:password

Now back to using Azure CLI, import the certificate:

az keyvault certificate import --vault-name VAULT_NAME -n cert -f cert.pfx --password password

Once the certificate is added, set up Custom HTTPS for the endpoint:

Final steps are setting up a service principal for access with the command provided above. (Make sure to use Connect-AzAccount). Once this is done, you’ll need to allow some time (around 6-8 hours) to pass for allowing certificate import and CDN provisioning.

Verification

To make sure everything is in place, first check to ensure the status shows Custom HTTPS being enabled:

Afterwards, try accessing your site using HTTPS to confirm everything working.

Redirecting all non-HTTP/root Traffic

The last step to getting this working is setting anything not going to https://<yourdomain>.com to the correct place. This can be done in the Premium CDN with Verizon plan by changing the traffic rules in the Custom rules engine:

This will take some time to propagate, you’ll know it’s complete when you see “Active XML” next to the rule.

Once this is done, you can validate by trying to access the site using HTTP, and seeing it redirect to HTTPS (make sure to use an Incognito tab if using Chrome).