Adding custom domains to Azure Front Door without TXT record validation

Question

I have a SaaS application where by default customers get their own url on our domain like saas.application.com/company-a. They can however configure a "vanity domain" using a subdomain on their own domain by setting up a CNAME record pointing to us. Something like this:

saas.company-a.com CNAME saas.application.com

We validate that the record indeed points to us and generate a certificate (current setup is using cert-manager and Traefik in Kubernetes).

We want to start using Azure Front Door and let it handle cert generation/renewal. However, when setting up custom domains in Front Door, we need to validate each custom domain using a TXT record.

This will complicate the setup process for our customers (currently they only need to add a CNAME record), and we will have to ask existing customers to setup TXT records so that their domains can be validated when we migrate to Front Door. This is a show stopper for us, is there an alternative that I'm not seeing?

Answer 1

Unfortunately with the new Azure Front Door product this is no longer possible. A TXT record is required to obtain an SSL certificate.

Even when bringing your own certificate, the custom domain will stay on the status 'Pending' until the TXT record is added. While the status is 'Pending', I found that the site will respond with HTTP 502: MismatchCert (Hostname mismatch) Blocked by SSL_HOST_MISMATCH.

Another option is to use the older version of Azure Front Door (Classic). This tier allows you to verify the domain using only a CNAME record.

You can compare the features between Standard, Premium and Classic here: https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/tier-comparison#feature-comparison-between-tiers