Azure App Service Linux logs “rehash: skipping ca-certificates.crt” as an error on every app restart — even without custom certificates

Question

Azure App Service Linux logs “rehash: skipping ca-certificates.crt” as an error on every app restart — even without custom certificates

Surbhi Satish Shukla 20

We're seeing the following message in all our Azure App Service (Linux) application log this on every restart on all our environment

rehash: warning: skipping duplicate certificate in azl_SSL.com_TLS_ECC_Root_CA_2022.pem

rehash: warning: skipping duplicate certificate in azl_SSL.com_TLS_RSA_Root_CA_2022.pem

rehash: warning: skipping ca-certificates.crt, it does not contain exactly one certificate or CRL

We did not upload any certificates, yet the message appears across all apps and is logged as an error.

How can we stop Azure App Service Linux from logging this as an error? Is there an Azure‑supported way to suppress or avoid this warning ?

Golla Venkata Pavani 3,415 Reputation points Microsoft External Staff Moderator

2026-03-25T14:57:54.5666667+00:00
Hi @Surbhi Satish Shukla ,

Thank you for reaching out about the rehash warnings in your Azure App Service Linux application logs.

The log messages you’re seeing during application restarts are expected behavior on Azure App Service for Linux and are not caused by any certificates uploaded or configured by your application.

On every restart, the App Service Linux platform automatically refreshes the system trusted root certificates inside the container. As part of this platform‑managed process, OpenSSL runs a certificate rehash operation over the system trust store.

During this step, OpenSSL logs warnings such as:

Skipping ca-certificates.crt because it is a certificate bundle (it intentionally contains multiple certificates)

Skipping duplicate root CA certificates that are already trusted by the platform

These messages are OpenSSL warnings, not errors, and they do not indicate a failure or misconfiguration. The certificate refresh completes successfully immediately afterward, and TLS/HTTPS functionality is unaffected.

Can this be suppressed?

There is currently no Azure‑supported way to suppress or disable these warnings. The certificate refresh and logging behavior are platform‑managed and cannot be customized or overridden by customer configuration.

Recommended actions:

No action is required, These messages can be safely ignored as long as your application starts successfully and HTTPS connections work as expected

If needed, you may filter these messages in your logging or monitoring tools to reduce noise

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Golla Venkata Pavani 3,415 Reputation points Microsoft External Staff Moderator

2026-03-26T11:46:13.69+00:00

Hi @Surbhi Satish Shukla ,

I'm just reaching out to see if your issue has been resolved or if you've had a chance to review my previous comment?
Surbhi Satish Shukla 20 Reputation points

2026-03-26T12:21:42.78+00:00

Hi @Golla Venkata Pavani , Just confirming if you are talking about Azure app service on Linux ? Also these should log as warning but it is logging as error in console, Is there any thing that can be done regarding this?
Golla Venkata Pavani 3,415 Reputation points Microsoft External Staff Moderator

2026-03-26T17:17:15.6566667+00:00
Hi @Surbhi Satish Shukla ,

According to Microsoft documentation, Azure App Service manages the underlying operating system and platform components, including system certificates and trusted root stores, for Linux apps. Customers do not have control over OS‑level processes such as certificate updates or how they are executed during app startup.

On every restart, the App Service Linux platform automatically initializes the container and refreshes the system trusted CA certificates. This is a platform‑managed operation, not an application action, and is part of normal Linux container startup on App Service.

Why it shows as Error in the log stream

It explains that startup and platform process output is streamed directly to the application logs for visibility, but log severity levels are not preserved or configurable for platform‑managed components.

As a result:

OpenSSL emits these messages as warnings

Azure App Service streams them as “Error” entries because they originate from platform startup output (stderr/stdout)

This does not indicate an application failure or certificate issue

Microsoft documentation confirms that this behavior cannot be customized or suppressed, and no action is required as long as the application and HTTPS connectivity function correctly.

Reference:
https://learn.microsoft.com/azure/app-service/faq-app-service-linux#file-system
https://learn.microsoft.com/azure/app-service/configure-ssl-certificate-in-code
https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer accepted by question author

0 additional answers

Your answer

Golla Venkata Pavani 3,415 Reputation points Microsoft External Staff Moderator

2026-03-25T14:57:54.5666667+00:00

Hi @Surbhi Satish Shukla ,

Thank you for reaching out about the rehash warnings in your Azure App Service Linux application logs.

The log messages you’re seeing during application restarts are expected behavior on Azure App Service for Linux and are not caused by any certificates uploaded or configured by your application.

On every restart, the App Service Linux platform automatically refreshes the system trusted root certificates inside the container. As part of this platform‑managed process, OpenSSL runs a certificate rehash operation over the system trust store.

During this step, OpenSSL logs warnings such as:

Skipping ca-certificates.crt because it is a certificate bundle (it intentionally contains multiple certificates)

Skipping duplicate root CA certificates that are already trusted by the platform

These messages are OpenSSL warnings, not errors, and they do not indicate a failure or misconfiguration. The certificate refresh completes successfully immediately afterward, and TLS/HTTPS functionality is unaffected.

Can this be suppressed?

There is currently no Azure‑supported way to suppress or disable these warnings. The certificate refresh and logging behavior are platform‑managed and cannot be customized or overridden by customer configuration.

Recommended actions:

No action is required, These messages can be safely ignored as long as your application starts successfully and HTTPS connections work as expected

If needed, you may filter these messages in your logging or monitoring tools to reduce noise

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Golla Venkata Pavani 3,415 Reputation points Microsoft External Staff Moderator

2026-03-26T11:46:13.69+00:00

Hi @Surbhi Satish Shukla ,

I'm just reaching out to see if your issue has been resolved or if you've had a chance to review my previous comment?
Surbhi Satish Shukla 20 Reputation points

2026-03-26T12:21:42.78+00:00

Hi @Golla Venkata Pavani , Just confirming if you are talking about Azure app service on Linux ? Also these should log as warning but it is logging as error in console, Is there any thing that can be done regarding this?
Golla Venkata Pavani 3,415 Reputation points Microsoft External Staff Moderator

2026-03-26T17:17:15.6566667+00:00

Hi @Surbhi Satish Shukla ,

According to Microsoft documentation, Azure App Service manages the underlying operating system and platform components, including system certificates and trusted root stores, for Linux apps. Customers do not have control over OS‑level processes such as certificate updates or how they are executed during app startup.

On every restart, the App Service Linux platform automatically initializes the container and refreshes the system trusted CA certificates. This is a platform‑managed operation, not an application action, and is part of normal Linux container startup on App Service.

Why it shows as Error in the log stream

It explains that startup and platform process output is streamed directly to the application logs for visibility, but log severity levels are not preserved or configurable for platform‑managed components.

As a result:

OpenSSL emits these messages as warnings

Azure App Service streams them as “Error” entries because they originate from platform startup output (stderr/stdout)

This does not indicate an application failure or certificate issue

Microsoft documentation confirms that this behavior cannot be customized or suppressed, and no action is required as long as the application and HTTPS connectivity function correctly.

Reference:
https://learn.microsoft.com/azure/app-service/faq-app-service-linux#file-system
https://learn.microsoft.com/azure/app-service/configure-ssl-certificate-in-code
https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer 1

Hi @Surbhi Satish Shukla ,
Addition to pavani response this behavior is expected on Azure App Service (Linux) and is not related to any certificates uploaded by your application. During container startup, the platform runs standard Linux certificate maintenance commands (such as OpenSSL rehash / update-ca-certificates) against the default system trust store. These commands may emit warnings like duplicate certificates or bundle files (for example ca-certificates.crt containing multiple certificates), and they are written to stderr, which App Service surfaces in the log stream as errors. However, these are benign platform-level warnings and do not indicate any issue with your app, TLS configuration, or connectivity. At present, there is no Azure-supported way to suppress these messages, since they originate from the managed base image initialization process that is not user-configurable. The recommended approach is to safely ignore them or filter them in your logging solution (e.g., Application Insights / Log Analytics).
https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs
https://learn.microsoft.com/en-us/azure/app-service/configure-language-java-deploy-run?tabs=windows&pivots=java-javase
Kindly let us know if the above helps or you need further assistance on this issue.

Share via

Azure App Service Linux logs “rehash: skipping ca-certificates.crt” as an error on every app restart — even without custom certificates

0 additional answers

Your answer