I have an Azure Front Door instance with web application firewall policies and Azure-managed certificates. My setup involves custom domains on Azure Front Door, but it requires that no CNAME is pointing directly to Azure Front Door. Instead, I have a CNAME record for www.example.com that points to a delegated zone, specifically www.production.example.com. This delegated zone allows the application to migrate seamlessly without requiring any direct interaction from the primary zone's DNS owner.
This situation leads to the issue described in https://learn.microsoft.com/en-us/answers/questions/787131/domain-validation-steps-for-azure-front-door-stand, where the certificate re-validation fails, but the TXT validation works correctly. As a result, I have to manually regenerate the TXT challenge on the Front Door and update the records to renew the certificates every few months.
I would like to automate the renewal process of TLS certificates with Azure FrontDoor Managed Certificates. I plan to set up a pipeline that runs periodically. When a custom domain is in a 'pending' state, I intend to use PowerShell or Azure CLI to trigger the regeneration of the 'dnsauth' value. After generating the new value, I will retrieve and update the corresponding DNS TXT record. However, I'm unable to find an endpoint or method to automate the regeneration of the TXT '_dnsauth' record as I can manually do it in the portal. Azure Portal custom domain regenerate ownership _dnsauth TXT record in UI
Does anyone have information on how to achieve this or any suggestions on how to automate this process?
I have gone through the documentation and tried Google, but have not found such an endpoint/method so far.
I found this Azure CLI command: az afd custom-domain regenerate-validation-token
