Add the *.trafficmanager.net SSL Certificate to Webapps (websites)
Currently if you have a *.trafficmanager.net domain and point it to an azure website you get warnings from browsers saying that certificates don't match (if you make https requests).
This is because .azurewebsites.net have a certificate for .azurewebsites.net but not *.trafficmanager.net so trafficmanager is useless unless you have a custom domain + SSL cert. Makes it hard to try out without going HTTP only.
This is a rather simple fix afaik.
The team considered this ask and we have decided to not implement it. It is not considered security best practice to add wildcard SANs to certificates for a different service. It is assumed that you have both a custom domain and the proper SSL certificate for use with the TrafficManager scenario. For a dev\test scenario there are a couple options you may want to consider:
1. Buy a real cert and domain/sub-domain for your dev-test setup.
2. Create a self-signed certificate for your site with the *.trafficmanager.net SAN added to it and install this self-signed cert to the Trusted Certificate Authorities store on your clients to not get browser warnings.
Again, we have given it a careful consideration and decided the best path is not to implement the ask.
Michael Kusmiy commented
Now you can use *.trafficmanager.net with SSL if using Azure Managed Certificates (in preview)
It is not available out-of-the-box (even so SSL for TM in WebApp has green checkbox already) - however can be easily achieved using small PS snippet - see following URLs for additional reference and the PS script:
Andrew Hunt commented
Be aware of the "Certificates per Registered Domain" limit if you go down the LetsEncrypt route... It is based on the "trafficmanager.net" domain as a whole, so if a lot of people start doing that then we'll all be in trouble.
Craig Humphrey commented
Lucas Huet-Hudson commented
I would love to see this feature reviewed once more. Automatically adding the certificates would greatly increase the viability and ease of use of Azure Traffic Manager.
Luke Arentz commented
I'd love to see this feature revived. It's seems like it should be trivial for Microsoft to implement this. In any case for those who still want this, you can use LetsEncrypt to create certificates for your traffic manager domain. Then you can install these certs onto your WebApp.
Christopher Welles commented
How do I vote for something that's been DECLINED?
Christopher Welles commented
It seems like a no-brainer to add this. There's no good reason to not do this, and doing without this makes leveraging Traffic Manager a lot more effort than it needs to be. The idea that it's not a best practice to use certificates this way really doesn't hold any weight. Microsoft is doing it themselves for custom branding within their AzureAD infrastructure.
I'm looking to stand everything up with an ARM template, and this makes that significantly more challenging.
Chris Williams commented
My sites are all "degraded" because my site requires https and traffic manager insists on making requests using a .trafficmanager.net domain name, for which I don't have a certificate.
You could either add the *.trafficmanager.net certificate to Azure App Service or ignore certififcate errors when you make https calls to the endpoint. I'd prefer the latter, but either would work.
Daniel Ignatius Jian-Ye Lee commented
I've applied Custom SSL to my Custom Domain on the ASE platform. However, after I enabled HTTPS on the Azure Traffic Manager. The browser shows the SSL certificate is not valid for cso.trafficmanager.net. If I don't apply SSL on the Traffic Manager it will redirect to HTTPS anyway at my site as I've enabled HTTPS. This will cause the status to be "degraded". Please advise.
Any update? Traffic manager should support https.
Giuseppe Marchi commented
After enabling HTTPS on Azure Traffic Manager, the browser shows the not valid certificate for the URL <mytesturl>.trafficmanager.net
This is not the behavior of URLs <mytesturl>.azurewebsites.net
Please add a valid certificate also for that domain. Thanks