Better inform users of when their App Service Certificates are about to expire or have not auto renewed (7 days?)
This week another of our customer's sites went down due to an Azure App Service certificate expiring without us being notified of its pending expiry - we mark all App Service Certificates to Auto Renew and some of them do infact renew and rebind without our intervention, others certificates have got stuck on the domain validation phase (which we validated 1st time we bought the certificate ofcourse) and the latest certificate is now expired and the Manual Renew button is disabled as it seems to think its outside the 60 day renewal window.
A simple email to us (we receive Azure emails for all sorts of other alerts) or a Notification when we login (see lots of these too) indicating that an Auto Renewal has failed and requires immediate attention is all that is needed.
Given I could not even manual renew this particular certificate I ended up using a letsencrypt.com free SSL to get the customer back online at short notice, if we have further issues with Azure certificates then we will probably ditch them and use a 3rd party provider which is a shame since the Azure environment generally works extremely well.
We are currently investigating options on improving renewal of certs and notifying customers.
PLEASE improve this process. I have the exact same issues. Not only that, if I leave auto-renew on, I don't get notified that the certificate is going to renew and then I have no way of seeing which certificate was renewed so I have no idea which customer to bill! I contacted support about this issue and it was a month before I was told it's just not possible and to submit an issue here. My only option is to go into each certificate individually and look at the expiration date (because I can't view that on the list view) and try to guess at which ones were renewed based on the expiration dates.
Jeroen Ritmeijer commented
Could not agree more. Our public service went down because - even though auto renewal was enabled - the new certificate was just not applied. No errors, no alerts, just unexpected down time.