Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
Managed certificated was not rotated automatically
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 97%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
avenuce
0
Reputation points
Hello
why this happened?
certificated not autorotated.
We spent more than 1 hour to recreate it because it takes up to 45 min to generate/delete certificate.
Azure Container Apps
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator2026-04-06T09:45:34.0233333+00:00 Hi @avenuce Thank you for reaching out to Microsoft Q&A.
Can you try re-creating the managed certificate? It failed, because it was not able to renew the certificate in the specific window. Re-creating the managed certificate will start the fresh create operation.
Also, Can you provide me the details, I have asked in the private chat?
-
-
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator
2026-04-06T10:34:13.18+00:00 Hi @avenuce
The error “There’s a managed certificate for this domain that is pending issuance. You cannot create another managed certificate for this domain” occurs because Azure allows only one active managed certificate issuance process per custom domain at a time. When a managed certificate creation or renewal is triggered, Azure marks it as Pending issuance and places a backend lock on that domain. While this state exists, Azure blocks any attempt to create another managed certificate for the same hostname. If the pending issuance gets stuck (for example, due to DNS validation failure, CA validation delay, or a backend service issue), the lock is not released automatically, which prevents further certificate creation until the pending operation is resolved or cleaned up.
Refer below points to resolve this issue or this is the workaround:
Wait for the pending issuance to complete or fail If the certificate is genuinely still being issued, Azure will eventually move it to Succeeded or Failed. Once the state changes, the domain lock is released, and you can proceed accordingly.
Delete the stuck pending managed certificate If the certificate remains in Pending issuance for an extended time and does not progress, delete the managed certificate entry from the portal. This clears the backend lock and allows you to create a new managed certificate for the domain.
Ensure DNS validation is correct before recreating the certificate Verify that:
- The CNAME/A record points directly to the expected Azure endpoint
- There are no CNAME chains or intermediaries
- No CAA record is blocking DigiCert Incorrect DNS is the most common reason certificates remain stuck in Pending issuance.
Avoid repeated create attempts while pending Retrying certificate creation while the status is Pending issuance will always fail with this error. Azure does not queue or override existing issuance attempts.
Use Azure Key Vault–based certificates as a long‑term workaround For production‑critical domains, store the certificate in Azure Key Vault, enable auto‑rotation, and bind the service to the Key Vault certificate. This avoids domain‑level locks and managed certificate issuance delays entirely.
-
avenuce 0 Reputation points
2026-04-06T10:50:15.48+00:00 So, I deleted certificate from azure container app environment. Clicked to create new one. It's pending more than 1 hour. I enabled system assigned managed identity. Added RBAC Key Vault Secrets Users (and also access policy certificates get,list,import) for system assigned identity on key vault with my certificates. I'm trying to import certificate but facing error 'system' doesn't have permissions to key vault certificate.
What else can I try with my production?
How long to wait for managed certificate creation which is in pending state? -
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator
2026-04-06T11:18:48.9533333+00:00 Hi @avenuce
What you are observing is a combination of expected Azure Container Apps managed certificate behavior and a Key Vault permission / identity mismatch. In Azure Container Apps, managed certificate creation is a backend, asynchronous process. If the certificate stays in Pending state for an extended period, it usually indicates that domain validation or backend issuance has not completed yet. At the same time, importing a certificate from Azure Key Vault requires the Container Apps environment‑level managed identity to have correct Key Vault data‑plane permissions. Even if permissions look correct, a mismatch between RBAC vs access policies or using the wrong identity (system vs user‑assigned) can cause the error stating that “system doesn’t have permissions to Key Vault certificate”. This is a known and documented limitation with Container Apps and managed identities.
Refer below points to resolve this issue or this is the workaround:
Understand how long to wait for managed certificate creation (Pending state) For Azure Container Apps managed certificates, the creation is asynchronous and depends on CA issuance and domain validation. Microsoft documentation and field experience indicate that issuance can take up to ~45–60 minutes in normal conditions. If the certificate remains in Pending beyond this window and does not move to Succeeded or Failed, it usually means validation is stuck and it will not self‑heal. In that case, deleting and recreating the managed certificate is the only supported action.
Ensure you are granting permissions to the Container Apps environment identity (not the app identity) Certificate import from Key Vault in Container Apps is performed by the environment‑level managed identity, not by the individual container app. Even if the app has identity enabled, the import will fail if the environment identity does not have access. This is explicitly documented for Container Apps certificate management.
Use Azure RBAC only (do not mix RBAC and access policies) If your Key Vault is using Azure RBAC, adding legacy access policies (get/list/import) will not be honored. In RBAC mode, you must assign:
- Key Vault Secrets User (required)
- Key Vault Certificate User (required for certificate import)
Both roles must be assigned at the Key Vault scope to the Container Apps environment managed identity. Mixing RBAC and access policies is a common cause of the “system doesn’t have permissions” error.
Prefer a user‑assigned managed identity (strongly recommended for production) There is a known limitation where system‑assigned identities may not be fully resolvable during certificate or secret validation flows. Using a user‑assigned managed identity avoids this race condition because the identity exists before the operation starts. Microsoft guidance and community reports confirm this as a reliable workaround.
Steps:
- Create a user‑assigned managed identity.
- Assign Key Vault Secrets User and Key Vault Certificate User roles to this identity at the Key Vault scope.
- Attach the user‑assigned identity to the Container Apps environment.
- Import the certificate from Key Vault using this identity.
-
avenuce 0 Reputation points
2026-04-06T11:45:07.3233333+00:00 I thinks Vault based access policy is still supported. https://learn.microsoft.com/en-gb/azure/key-vault/general/assign-access-policy?WT.mc_id=Portal-Microsoft_Azure_KeyVault&tabs=azure-portal.
I created required policy for user/system assigned identities but still same permissions error when import certificate.
Managed certificate creation failed in 2 hours, I started new one.
It's not possible to create managed certificate now? The only way to switch from vault based to RBAC key vault policy and bring my own certificate ? -
-
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator
2026-04-06T12:55:37.3033333+00:00 Hi @avenuce Can you please provide me the details, I have asked in the Private chat?
-
Ace Jerraldven C. Enoc 220 Reputation points2026-04-07T09:20:05.31+00:00 Hi Avenuce
This issue may have occurred because the managed certificate auto-rotation failed during the renewal process. Possible causes include domain validation failure, DNS or hostname configuration issues, CAA restrictions, or a temporary backend issue in the certificate management service.
If no recent changes were made to the configuration or environment, it would be advisable to review the renewal logs, domain binding, and DNS settings to determine the exact root cause.
I hope you find this helpful
♠ ♠ Ace ♠ ♠
-
Ace Jerraldven C. Enoc 220 Reputation points
2026-04-07T12:19:09.8933333+00:00 Hi Avenuce
This issue may have occurred because the managed certificate auto-rotation failed during the renewal process. Possible causes include domain validation failure, DNS or hostname configuration issues, CAA restrictions, or a temporary backend issue in the certificate management service.
If no recent changes were made to the configuration or environment, it would be advisable to review the renewal logs, domain binding, and DNS settings to determine the exact root cause.
I hope you find this helpful
♠ ♠ Ace ♠ ♠
Sign in to comment
Sign in to answer