After trying to configure the custom domain for the Azure PaaS Orchestrator , why is it failing to initialize?
Issue Description
When configuring a custom domain for Azure PaaS Orchestrator, the initialization may fail due to limitations in the app service communication settings. Specifically, the Orchestrator and Identity app services communicate over HTTPS, and the following limitation exists:
-
Self-signed Certificates Limitation: When using shared app service plans, Microsoft does not accept self-signed certificates or certificates generated by a private CA (Certificate Authority). As a result, the Identity server will not trust these certificates, leading to a dropped connection when Orchestrator attempts to reach the Identity server for authentication.
-
ASE (App Service Environment) Exemption: This limitation does not apply to App Service Environment (ASE), where it is possible to import a root CA certificate under the root folder via the KUDU console, enabling secure communication between the app services.
Cause of the Issue
When accessing Orchestrator, it redirects to the Identity server for authentication. However, if a custom domain is used without a trusted certificate, the Identity server will not accept the connection due to an untrusted certificate. Therefore, while using a custom domain in a shared app service environment, authentication fails because the Identity server only trusts certificates issued by a public CA.
Resolution
To resolve this issue, you have two options:
-
Use the Default Azure Domain: Continue using the
azurewebsites.netdomain, which is trusted by default. -
Generate Public CA Certificates: Obtain certificates from a public Certificate Authority for both the Orchestrator and Identity app services. Public CA certificates are trusted by default and will allow secure communication between the services when using a custom domain.
By following one of these solutions, you can enable Orchestrator to successfully reach the Identity server for authentication with a custom domain.