After trying to configure the custom domain for the Azure PaaS Orchestrator , why is it failing to initialize?

The 2 app services, Identity and Orchestrator are communicating with each other, and this connection is done using HTTPS. If you are using shared app service plans, there is a limitation from Microsoft's side which does not accept self-signed certificates or private CA-generated ones.

This limitation does not apply to ASE, where it is possible to import under the root folder from KUDU, the root CA certificate. Whenever the Orchestrator is tried reaching, it will redirect to the Identity server for the authentication part. The Identity server will not trust the certificate and will drop the connection.

This is why the azurewebsites.net can be used along with domain and not with a custom one.

• The solution, in this case, is to either use the default Azure domain or generate public CA certificates for both app services (Public CA certificates will be trusted by default).