排查 Azure 应用服务中的域和 TLS/SSL 证书问题Troubleshoot domain and TLS/SSL certificate problems in Azure App Service

本文列出了为 Azure 应用服务中的 Web 应用配置域或 TLS/SSL 证书时可能遇到的常见问题。This article lists common problems that you might encounter when you configure a domain or TLS/SSL certificate for your web apps in Azure App Service. 此外,还描述了这些问题的可能原因和解决方案。It also describes possible causes and solutions for these problems.

对于本文中的任何内容,如果需要更多帮助,可以联系 MSDN 和 Stack Overflow 论坛上的 Azure 专家。If you need more help at any point in this article, you can contact the Azure experts on the MSDN and Stack Overflow forums. 或者,也可以提出 Azure 支持事件。Alternatively, you can file an Azure support incident. 请转到 Azure 支持站点并选择“获取支持”。Go to the Azure Support site and select Get Support.


本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

证书问题Certificate problems

无法向应用添加 TLS/SSL 证书绑定You can't add a TLS/SSL certificate binding to an app


添加 TLS 绑定时收到以下错误消息:When you add a TLS binding, you receive the following error message:

“未能添加 SSL 绑定。"Failed to add SSL binding. 无法设置现有 VIP 的证书,因为另一个 VIP 已使用该证书。”Cannot set certificate for existing VIP because another VIP already uses that certificate."


如果对跨多个应用的同一 IP 地址使用多个基于 IP 的 SSL 绑定,则可能会出现此问题。This problem can occur if you have multiple IP-based SSL bindings for the same IP address across multiple apps. 例如,应用 A 具有采用旧证书的基于 IP 的 SSL。For example, app A has an IP-based SSL with an old certificate. 应用 B 对同一 IP 地址使用采用新证书的基于 IP 的 SSL。App B has an IP-based SSL with a new certificate for the same IP address. 使用新证书更新应用 TLS 绑定时,失败并显示此错误,因为同一个 IP 地址已用于另一应用。When you update the app TLS binding with the new certificate, it fails with this error because the same IP address is being used for another app.


若要解决此问题,请使用以下方法之一:To fix this problem, use one of the following methods:

  • 在应用中删除使用旧证书的基于 IP 的 SSL 绑定。Delete the IP-based SSL binding on the app that uses the old certificate.
  • 新建使用新证书的基于 IP 的 SSL 绑定。Create a new IP-based SSL binding that uses the new certificate.

无法删除证书You can't delete a certificate


尝试删除证书时出现以下错误消息:When you try to delete a certificate, you receive the following error message:

“无法删除证书,因为它当前正用于 TLS/SSL 绑定。"Unable to delete the certificate because it is currently being used in a TLS/SSL binding. 必须先删除 TLS 绑定,然后才能删除证书。”The TLS binding must be removed before you can delete the certificate."


如果另一个应用使用了该证书,则可能会出现此问题。This problem might occur if another app uses the certificate.


从应用中删除该证书的 TLS 绑定。Remove the TLS binding for that certificate from the apps. 然后尝试删除证书。Then try to delete the certificate. 如果仍然无法删除证书,请清除 Internet 浏览器缓存,并在新浏览器窗口中重新打开 Azure 门户。If you still can't delete the certificate, clear the internet browser cache and reopen the Azure portal in a new browser window. 然后尝试删除证书。Then try to delete the certificate.

自定义域问题Custom domain problems

自定义域返回 404 错误A custom domain returns a 404 error


使用自定义域名浏览到站点时,收到以下错误消息:When you browse to the site by using the custom domain name, you receive the following error message:

“错误 404 - 找不到 Web 应用”。"Error 404-Web app not found."

原因和解决方法Cause and solution

原因 1Cause 1

配置的自定义域缺少 CNAME 或 A 记录。The custom domain that you configured is missing a CNAME or A record.

原因 1 的解决方法Solution for cause 1

  • 如果添加了 A 记录,请确保同时添加 TXT 记录。If you added an A record, make sure that a TXT record is also added. 有关详细信息,请参阅创建 A 记录For more information, see Create the A record.
  • 如果不需要对应用使用根域,我们建议使用 CNAME 记录,而不要使用 A 记录。If you don't have to use the root domain for your app, we recommend that you use a CNAME record instead of an A record.
  • 不要对同一个域同时使用 CNAME 记录和 A 记录。Don't use both a CNAME record and an A record for the same domain. 此问题可能会导致冲突,并阻止域解析。This issue can cause a conflict and prevent the domain from being resolved.

原因 2Cause 2

Internet 浏览器可能仍在缓存域的旧 IP 地址。The internet browser might still be caching the old IP address for your domain.

原因 2 的解决方法Solution for Cause 2

清除浏览器缓存。Clear the browser. 对于 Windows 设备,可以运行命令 ipconfig /flushdnsFor Windows devices, you can run the command ipconfig /flushdns. 使用 WhatsmyDNS.net 验证域是否指向应用的 IP 地址。Use WhatsmyDNS.net to verify that your domain points to the app's IP address.

无法添加子域You can't add a subdomain


无法将新主机名添加到应用,因此无法分配子域。You can't add a new host name to an app to assign a subdomain.


  • 咨询订阅管理员,确保有权将主机名添加到应用。Check with subscription administrator to make sure that you have permissions to add a host name to the app.
  • 如果需要更多子域,我们建议将域托管服务更改为 Azure 域服务 (DNS)。If you need more subdomains, we recommend that you change the domain hosting to Azure Domain Name Service (DNS). 使用 Azure DNS 可将 500 个主机名添加到应用。By using Azure DNS, you can add 500 host names to your app. 有关详细信息,请参阅添加子域For more information, see Add a subdomain.

无法解析 DNSDNS can't be resolved


收到以下错误消息:You received the following error message:

“找不到 DNS 记录。”"The DNS record could not be located."


此问题是由以下原因之一导致的:This problem occurs for one of the following reasons:

  • 生存期 (TTL) 未过。The time to live (TTL) period has not expired. 检查域的 DNS 配置以确定 TTL 值,然后等到期限已过。Check the DNS configuration for your domain to determine the TTL value, and then wait for the period to expire.
  • DNS 配置不正确。The DNS configuration is incorrect.


  • 等待 48 小时,让此问题自行解决。Wait for 48 hours for this problem to resolve itself.
  • 如果可以在 DNS 配置中更改 TTL 设置,请将值更改为 5 分钟,然后看看是否能解决问题。If you can change the TTL setting in your DNS configuration, change the value to 5 minutes to see whether this resolves the problem.
  • 使用 WhatsmyDNS.net 验证域是否指向应用的 IP 地址。Use WhatsmyDNS.net to verify that your domain points to the app's IP address. 如果不是,请将 A 记录配置为应用的正确 IP 地址。If it doesn't, configure the A record to the correct IP address of the app.

需要还原已删除的域You need to restore a deleted domain


域不再显示在 Azure 门户中。Your domain is no longer visible in the Azure portal.


订阅所有者可能意外删除了该域。The owner of the subscription might have accidentally deleted the domain.


如果域的删除时间不超过七天,则尚未对该域启动删除过程。If your domain was deleted fewer than seven days ago, the domain has not yet started the deletion process. 在这种情况下,可以在 Azure 门户中的同一个订阅下再次购买同一个域。In this case, you can buy the same domain again on the Azure portal under the same subscription. (请务必在搜索框中键入确切的域名。)此域不会重复产生费用。(Be sure to type the exact domain name in the search box.) You won't be charged again for this domain. 如果该域的删除时间超过七天,请求助 Azure 支持来还原该域。If the domain was deleted more than seven days ago, contact Azure support for help with restoring the domain.

域问题Domain problems

为错误的域购买了 TLS/SSL 证书You purchased a TLS/SSL certificate for the wrong domain


为错误的域购买了应用服务证书,You purchased an App Service certificate for the wrong domain. 并且无法将该证书更新为使用正确的域。You can't update the certificate to use the correct domain.


删除该证书,然后购买新证书。Delete that certificate and then buy a new certificate.

如果使用错误域的当前证书处于“已颁发”状态,则该证书也会产生费用。If the current certificate that uses the wrong domain is in the “Issued” state, you'll also be billed for that certificate. 应用服务证书不可退款,但你可以联系 Azure 支持,看看是否还有其他解决办法。App Service certificates are not refundable, but you can contact Azure support to see whether there are other options.

应用服务证书已续订,但应用显示旧证书An App Service certificate was renewed, but the app shows the old certificate


应用服务证书已续订,但使用应用服务证书的应用仍在使用旧证书。The App Service certificate was renewed, but the app that uses the App Service certificate is still using the old certificate. 此外,出现需要 HTTPS 协议的警告。Also, you received a warning that the HTTPS protocol is required.


应用服务会在 48 小时内自动同步证书。App Service automatically syncs your certificate within 48 hours. 在轮换或更新证书时,应用程序有时仍会检索旧证书而不是最近更新的证书,When you rotate or update a certificate, sometimes the application is still retrieving the old certificate and not the newly updated certificate. 原因是同步证书资源的作业尚未运行。The reason is that the job to sync the certificate resource hasn't run yet. 单击“同步”。同步操作会自动更新应用服务中证书的主机名绑定,而不会导致应用停机。Click Sync. The sync operation automatically updates the hostname bindings for the certificate in App Service without causing any downtime to your apps.


可以强制同步证书:You can force a sync of the certificate:

  1. 登录到 Azure 门户Sign in to the Azure portal. 选择“应用服务证书”,然后选择该证书。Select App Service Certificates, and then select the certificate.
  2. 选择“重新生成密钥并同步”,然后选择“同步”。 同步过程需要一段时间才能完成。Select Rekey and Sync, and then select Sync. The sync takes some time to finish.
  3. 同步完成后,会看到以下通知:“已成功使用最新的证书更新了所有资源。”When the sync is completed, you see the following notification: "Successfully updated all the resources with the latest certificate."

域验证无法进行Domain verification is not working


应用服务证书要求先经过域验证,然后该证书才可供使用。The App Service certificate requires domain verification before the certificate is ready to use. 选择“验证”时,验证过程失败。When you select Verify, the process fails.


通过添加 TXT 记录来手动验证域:Manually verify your domain by adding a TXT record:

  1. 转到托管域名的域名服务 (DNS) 提供商站点。Go to the Domain Name Service (DNS) provider that hosts your domain name.
  2. 添加域的 TXT 记录,该记录使用 Azure 门户中显示的域令牌的值。Add a TXT record for your domain that uses the value of the domain token that's shown in the Azure portal.

等待几分钟以运行 DNS 传播,然后选择“刷新”按钮以触发验证。Wait a few minutes for DNS propagation to run, and then select the Refresh button to trigger the verification.

另一种做法是使用 HTML 网页方法来手动验证域。As an alternative, you can use the HTML webpage method to manually verify your domain. 此方法可让证书颁发机构确认为其颁发证书的域的域所有权。This method allows the certificate authority to confirm the domain ownership of the domain that the certificate is issued for.

  1. 创建名为 {域验证令牌}.html 的 HTML 文件。Create an HTML file that's named {domain verification token}.html. 此文件的内容应为域验证令牌的值。The content of this file should be the value of domain verification token.
  2. 将此文件上传到托管域的 Web 服务器的根目录。Upload this file at the root of the web server that's hosting your domain.
  3. 选择“刷新”,检查证书状态。Select Refresh to check the certificate status. 验证可能需要几分钟才能完成。It might take few minutes for verification to finish.

例如,如果为 azure.com 购买了域验证令牌为 1234abcd 的标准证书,则对 https://azure.com/1234abcd.html 发出的 Web 请求应返回 1234abcd。For example, if you're buying a standard certificate for azure.com with the domain verification token 1234abcd, a web request made to https://azure.com/1234abcd.html should return 1234abcd.


下达证书订单后,只有 15 天时间用于完成域验证操作。A certificate order has only 15 days to complete the domain verification operation. 15 天过后,证书颁发机构拒绝证书,但该证书不会产生费用。After 15 days, the certificate authority denies the certificate, and you are not charged for the certificate. 在此情况下,请删除该证书并重试。In this situation, delete this certificate and try again.

无法购买某个域You can't purchase a domain


不能在 Azure 门户中购买应用服务域。You can't buy an App Service domain in the Azure portal.

原因和解决方法Cause and solution

此问题是由以下原因之一导致的:This problem occurs for one of the following reasons:

  • Azure 订阅中没有信用卡,或信用卡无效。There's no credit card on the Azure subscription, or the credit card is invalid.

    解决方案:将有效的信用卡添加到订阅。Solution: Add a valid credit card to your subscription.

  • 你不是订阅所有者,因此无权购买域。You're not the subscription owner, so you don't have permission to purchase a domain.

    解决方案:向帐户 分配“所有者”角色Solution: Assign the Owner role to your account. 或者联系订阅管理员以获取购买域的权限。Or contact the subscription administrator to get permission to purchase a domain.

  • 已达到订阅中可购买域数的限制。You have reached the limit for purchasing domains on your subscription. 当前限制为 20 个。The current limit is 20.

    解决方案:若要请求提高限制,请联系 Azure 支持Solution: To request an increase to the limit, contact Azure support.

  • Azure 订阅类型不支持购买应用服务域。Your Azure subscription type does not support the purchase of an App Service domain.

    解决方案:将 Azure 订阅升级到其他订阅类型,例如预付费订阅。Solution: Upgrade your Azure subscription to another subscription type, such as a Pay-In-Advanced subscription.

无法将主机名添加到应用You can't add a host name to an app


在添加主机名的过程中无法验证域。When you add a host name, the process fails to validate and verify the domain.


此问题是由以下原因之一导致的:This problem occurs for one of the following reasons:

  • 无权添加主机名。You don’t have permission to add a host name.

    解决方案:让订阅管理员为你授予添加主机名的权限。Solution: Ask the subscription administrator to give you permission to add a host name.

  • 无法验证域所有权。Your domain ownership could not be verified.

    解决方案:验证是否已正确配置 CNAME 或 A 记录。Solution: Verify that your CNAME or A record is configured correctly. 若要将自定义域映射到应用,请创建 CNAME 记录或 A 记录。To map a custom domain to an app, create either a CNAME record or an A record. 若要使用根域,必须使用 A 记录和 TXT 记录:If you want to use a root domain, you must use A and TXT records:

    记录类型Record type 主机Host 指向Point to
    AA @ 应用的 IP 地址IP address for an app
    TXTTXT @ .chinacloudsites.cn.chinacloudsites.cn
    CNAMECNAME wwwwww .chinacloudsites.cn.chinacloudsites.cn


购买网站的自定义域后是否必须配置该域?Do I have to configure my custom domain for my website once I buy it?

通过 Azure 门户购买某个域时,应用服务应用程序会自动配置为使用该自定义域。When you purchase a domain from the Azure portal, the App Service application is automatically configured to use that custom domain. 你不需要执行任何额外的步骤。You don’t have to take any additional steps.

是否可以使用在 Azure 门户中购买的域来指向 Azure VM?Can I use a domain purchased in the Azure portal to point to an Azure VM instead?

是的,可将该域指向 VM。Yes, you can point the domain to a VM. 有关详细信息,请参阅使用 Azure DNS 为 Azure 服务提供自定义域设置For more information, see Use Azure DNS to provide custom domain settings for an Azure service.

我的域是由 GoDaddy 还是 Azure DNS 托管?Is my domain hosted by GoDaddy or Azure DNS?

应用服务域使用 GoDaddy 进行域注册,使用 Azure DNS 来托管域。App Service Domains use GoDaddy for domain registration and Azure DNS to host the domains.

我已启用自动续订,但仍收到了有关域续订的电子邮件通知。I have auto-renew enabled but still received a renewal notice for my domain via email. What should I do?

如果你已启用自动续订,则不需要执行任何操作。If you have auto-renew enabled, you do not need to take any action. 电子邮件通知旨在告诉你该域即将过期,如果未启用自动续订,则需要手动续订。The notice email is provided to inform you that the domain is close to expiring and to renew manually if auto-renew is not enabled.

在 Azure DNS 中托管域是否要付费?Will I be charged for Azure DNS hosting my domain?

最初的域购买费用仅适用于域注册。The initial cost of domain purchase applies to domain registration only. 除了注册费用以外,Azure DNS 还会根据用量收费。In addition to the registration cost, there are incurring charges for Azure DNS based on your usage. 有关详细详细,请参阅 Azure DNS 定价For more information, see Azure DNS pricing for more details.

我的域是之前在 Azure 门户中购买的,现在想要从 GoDaddy 托管改为 Azure DNS 托管。如何执行此操作?I purchased my domain earlier from the Azure portal and want to move from GoDaddy hosting to Azure DNS hosting. How can I do this?

不一定非要迁移到 Azure DNS 托管。It is not mandatory to migrate to Azure DNS hosting. 如果你确实想要迁移到 Azure DNS,Azure 门户中的域管理体验会提供有关转移到 Azure DNS 的步骤信息。If you do want to migrate to Azure DNS, the domain management experience in the Azure portal about provides information on steps necessary to move to Azure DNS. 如果域通过应用服务购买的,则从 GoDaddy 托管迁移到 Azure DNS 的过程相对较为顺畅。If the domain was purchased through App Service, migration from GoDaddy hosting to Azure DNS is relatively seamless procedure.

如果通过应用服务域购买域,是否可以在 GoDaddy 而不是 Azure DNS 中托管该域?I would like to purchase my domain from App Service Domain but can I host my domain on GoDaddy instead of Azure DNS?

从 2017 年 7 月 24 日开始,在门户中购买的应用服务域将托管在 Azure DNS 中。Beginning July 24, 2017, App Service domains purchased in the portal are hosted on Azure DNS. 如果你想要使用其他托管提供商,则必须转到其网站以获取域托管解决方案。If you prefer to use a different hosting provider, you must go to their website to obtain a domain hosting solution.

是否需要支付域的隐私保护费用?Do I have to pay for privacy protection for my domain?

通过 Azure 门户购买域时,可以选择免费添加隐私保护。When you purchase a domain through the Azure portal, you can choose to add privacy at no additional cost. 这是通过 Azure 应用服务购买域所能获得的权益之一。This is one of the benefits of purchasing your domain through Azure App Service.

如果我不再想要使用我的域,是否可以获得退款?If I decide I no longer want my domain, can I get my money back?

购买域时,你可以免费试用 5 天,在此期间,可以决定是否要继续使用。When you purchase a domain, you are not charged for a period of five days, during which time you can decide that you do not want the domain. 如果在这五天内你决定不需要该域,则不会产生费用。If you do decide you don’t want the domain within that five-day period, you are not charged. (.uk 域例外。(.uk domains are an exception to this. 购买 .uk 域会立即产生费用,而不能获得退款)。If you purchase a .uk domain, you are charged immediately and you cannot be refunded.)

是否可以在订阅中的另一个 Azure 应用服务应用中使用域?Can I use the domain in another Azure App Service app in my subscription?

是的。Yes. 在 Azure 门户中访问“自定义域和 TLS”边栏选项卡时,会看到已购买的域。When you access the Custom Domains and TLS blade in the Azure portal, you see the domains that you have purchased. 可将应用配置为使用其中的任何域。You can configure your app to use any of those domains.

是否可将域从一个订阅转移到另一个订阅?Can I transfer a domain from one subscription to another subscription?

可以使用 Move-AzResource PowerShell cmdlet 将域转移到另一个订阅/资源组。You can move a domain to another subscription/resource group using the Move-AzResource PowerShell cmdlet.

如果我当前没有 Azure 应用服务应用,该如何管理自定义域?How can I manage my custom domain if I don’t currently have an Azure App Service app?

即使没有应用服务 Web 应用,也可以管理域。You can manage your domain even if you don’t have an App Service Web App. 域可用于虚拟机、存储等 Azure 服务。如果你打算将域用于应用服务 Web 应用,则需要添加一个未包含在免费应用服务计划中的 Web 应用才能将域绑定到 Web 应用。Domain can be used for Azure services like Virtual machine, Storage etc. If you intend to use the domain for App Service Web Apps, then you need to include a Web App that is not on the Free App Service plan in order to bind the domain to your web app.

是否可将使用自定义域的 Web 应用移到另一个订阅,或者将其从应用服务环境 v1 移到 v2?Can I move a web app with a custom domain to another subscription or from App Service Environment v1 to V2?

是的,可以在订阅之间移动 Web 应用。Yes, you can move your web app across subscriptions. 请遵照如何在 Azure 中移动资源中的指导操作。Follow the guidance in How to move resources in Azure. 移动 Web 应用时存在一些限制。There are a few limitations when moving the web app. 有关详细信息,请参阅移动应用服务资源时存在的限制For more information, see Limitations for moving App Service resources.

移动 Web 应用之后,自定义域设置中的域的主机名绑定应保持不变。After moving the web app, the host name bindings of the domains within the custom domains setting should remain the same. 无需执行额外的步骤即可配置主机名绑定。No additional steps are required to configure the host name bindings.