Limitation on validating managed Certificate and custom domain for container apps with only internal Ingress

[moattarwork]

This issue is a:

• [x] bug report -> please search issues before submitting
• [x] documentation issue or request
• [ ] regression (a behavior that used to work and stopped in a new release)

Issue description

I've created a container apps with ingress through an internal vnet. at the time of assigning the custom domain, it can't validate the domain name and after spending 2 days of investigating the issue, it turns out there is a limitation in container apps and not publicly available apps. I just wanted to confirm this first and also know the reason behind this as we are targeting to move all of our services from App Services, AKS, etc to this and this type of managed certificate is already available in all of the environments in the same way so I appreciate if you help me to understand this better. From my point of view, it more like a bug to me rather than a lack of feature however I will appreciate if there is a better clarification on this.

[vinisoto]

hi @moattarwork,

What is your scenario? Do you have a Private DNS?

[moattarwork]

Hi @vinisoto That is correct. We are still in a hybrid environment that our DNS server is maintained in our AD on premises and we have DNS forwarder to forward our DNS queries through our zones in our Azure subscriptions. The Managed Environment and apps are hosted in Azure and are attached to a private VNet which has ingress traffic to/from our on premises environment. The issue that we are facing is to enable custom domain we need certificate and manage certificate for ACA seems to have a requirement for publicly available apps. Use of the managed certificate make the process much easier for us and we already have the same configuration both for App Services and AKS so it is not clear for me what the problem is with ACA unless that is a missing feature to to the timing. We already implementing a workaround to use or own certificate (dedicated or wildcard one) and it is working but it is nicer and more practical if we have the chance of using managed certificate

[vinisoto]

Unfortunately, this is not something that we are able to support in currently. Our control plane needs to be able to reach your DNS to validate ownership and the certificate issuer (DigiCert) needs to be able to reach your application over the internet (to validate root/APEX domains)