Merge pull request #293039 from craigshoemaker/aca/jason/cli-instructions

JamesJBarnett · web-flow · commit a7742aeae219 · 2025-01-14T15:43:51.000-07:00
[Container Apps] Add CLI instructions for custom domain certificates
diff --git a/articles/container-apps/custom-domains-certificates.md b/articles/container-apps/custom-domains-certificates.md
@@ -6,8 +6,9 @@ author: craigshoemaker
 ms.service: azure-container-apps
 ms.custom: build-2023, ignite-2024
 ms.topic: how-to
-ms.date: 05/28/2024
+ms.date: 1/14/2025
 ms.author: cshoe
+zone_pivot_groups: azure-cli-or-portal
 ---
 
 # Custom domain names and bring your own certificates in Azure Container Apps
@@ -20,12 +21,14 @@ Azure Container Apps allows you to bind one or more custom domains to a containe
 - Ingress must be enabled for the container app.
 
 > [!NOTE]
-> If you configure a [custom environment DNS (Domain Name System) suffix](environment-custom-dns-suffix.md), you cannot add a custom domain that contains this suffix to your Container App.
+> If you configure a [custom environment DNS (Domain Name System) suffix](environment-custom-dns-suffix.md), you can't add a custom domain that contains this suffix to your Container App.
 
 ## Add a custom domain and certificate
 
+::: zone pivot="azure-portal"
+
 > [!IMPORTANT]
-> If you are using a new certificate, you must have an existing [SNI domain certificate](https://wikipedia.org/wiki/Server_Name_Indication) file available to upload to Azure.
+> If you're using a new certificate, you must have an existing [SNI domain certificate](https://wikipedia.org/wiki/Server_Name_Indication) file available to upload to Azure.
 
 1. Navigate to your container app in the [Azure portal](https://portal.azure.com)
 
@@ -63,7 +66,7 @@ Azure Container Apps allows you to bind one or more custom domains to a containe
     | Apex domain | A record | An apex domain is a domain at the root level of your domain. For example, if your DNS (Domain Name System) zone is `contoso.com`, then `contoso.com` is the apex domain. |
     | Subdomain | CNAME | A subdomain is a domain that is part of another domain. For example, if your DNS zone is `contoso.com`, then `www.contoso.com` is an example of a subdomain that can be configured in the zone. |
 
-1. Using the DNS provider that is hosting your domain, create DNS records based on the *Hostname record type* you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you are using custom domains with the private endpoint (preview) feature:
+1. Using the DNS provider that is hosting your domain, create DNS records based on the *Hostname record type* you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you're using custom domains with the private endpoint (preview) feature:
 
     # [General](#tab/general)
     
@@ -89,7 +92,7 @@ Azure Container Apps allows you to bind one or more custom domains to a containe
         |--|--|--|
         | A | `@` | The Private IP of your private endpoint on your container apps environment. |
 
-        In addition, you will need to add the following record to your public DNS zone.
+        In addition, you'll need to add the following record to your public DNS zone.
 
         | Record type | Host | Value |
         |--|--|--|
@@ -111,7 +114,167 @@ Azure Container Apps allows you to bind one or more custom domains to a containe
 1. Once the operation is complete, you see your domain name in the list of custom domains with a status of *Secured*. Navigate to your domain to verify that it's accessible.
 
 > [!NOTE]
-> For container apps in internal Container Apps environments, [additional configuration](./networking.md#dns) is required to use custom domains with VNET-scope ingress.
+> For container apps in internal Container Apps environments, [extra configuration](./networking.md#dns) is required to use custom domains with VNET-scope ingress.
+
+::: zone-end
+
+::: zone pivot="azure-cli"
+
+Container Apps supports apex domains and subdomains. Each domain type requires a different DNS record type and validation method.
+
+| Domain type | Record type | Validation method | Notes |
+|--|--|--|--|
+| Apex domain | A record | HTTP | An apex domain is a domain at the root level of your domain. For example, if your DNS zone is `contoso.com`, then `contoso.com` is the apex domain. |
+| Subdomain | CNAME | CNAME | A subdomain is a domain that is part of another domain. For example, if your DNS zone is `contoso.com`, then `www.contoso.com` is an example of a subdomain that can be configured in the zone. |
+
+1. Log in to Azure with the Azure CLI.
+
+    ```azurecli
+    az login
+    ```
+
+1. Next, install the Azure Container Apps extension for the CLI.
+
+    ```azurecli
+    az extension add --name containerapp --upgrade
+    ```
+
+1. Set the following environment variables. Replace the `<PLACEHOLDERS>` with your values.
+
+    ```azurecli
+    RESOURCE_GROUP = "<RESOURCE_GROUP>"
+    CONTAINER_APP = "<CONTAINER_APP>"
+    ENVIRONMENT = "<ENVIRONMENT>"
+    TARGET_PORT = "<TARGET_PORT>"
+    DOMAIN_NAME = "<DOMAIN_NAME>"
+    CERTIFICATE_LOWERCASE_NAME = "<CERTIFICATE_LOWERCASE_NAME>"
+    CERTIFICATE_LOCAL_PATH = "<CERTIFICATE_LOCAL_PATH>"
+    CERTIFICATE_PASSWORD = "<CERTIFICATE_PASSWORD>"
+    ```
+
+    - Replace `<CERTIFICATE_LOCAL_PATH>` with the local path of your certificate file.
+    - Replace `<CERTIFICATE_LOWERCASE_NAME>` with a lowercase certificate name that is unique within the environment.
+    - Replace `<TARGET_PORT>` with the port that your container app is listening on.
+
+1. Verify that your container app has HTTP ingress enabled.
+
+    ```azurecli
+    az containerapp ingress show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP
+    ```
+
+    If ingress isn't enabled, enable it with these steps:
+
+    ```azurecli
+    az containerapp ingress enable \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        --type external \
+        --target-port $TARGET_PORT \
+        --transport auto
+    ```
+
+1. If you're configuring an apex domain, get the IP address of your Container Apps environment.
+
+    ```azurecli
+    az containerapp env show \
+        -n $ENVIRONMENT \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.staticIp"
+    ```
+
+1. If you're configuring a subdomain, get the automatically generated domain of your container app.
+
+    ```azurecli
+    az containerapp show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.configuration.ingress.fqdn"
+    ```
+
+1. Get the domain verification code.
+
+    ```azurecli
+    az containerapp show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.customDomainVerificationId"
+    ```
+
+1. Using the DNS provider that is hosting your domain, create DNS records based on the record type you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you're using custom domains with the private endpoint (preview) feature:
+
+    # [General](#tab/general)
+    
+    - If you selected *A record*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | A | `@` | The IP address of your Container Apps environment. |
+        | TXT | `asuid` | The domain verification code. |
+
+    - If you selected *CNAME*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+    
+    # [Private endpoint](#tab/private-endpoint)
+
+    When using a private endpoint for your incoming traffic, you need to [create a private DNS zone](how-to-use-private-endpoint.md#configure-the-private-dns-zone).    
+
+    - If you selected *A record*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | A | `@` | The Private IP of your private endpoint on your container apps environment. |
+        | TXT | `asuid` | The domain verification code. |
+
+    - If you selected *CNAME*, create the following DNS records:
+
+        | Record type | Host | Value |
+        |--|--|--|
+        | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
+        | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
+
+    ---
+
+1. Upload the certificate to your environment.
+
+    ```azurecli
+    az containerapp env certificate upload \
+        -g $RESOURCE_GROUP \
+        --name $ENVIRONMENT \
+        --certificate-file $CERTIFICATE_LOCAL_PATH \
+        --password $CERTIFICATE_PASSWORD \
+        --certificate-name $CERTIFICATE_LOWERCASE_NAME
+    ```
+
+1. Bind the certificate and domain to your container app.
+
+    ```azurecli
+    az containerapp hostname bind \
+        --hostname $DOMAIN_NAME \
+        -g $RESOURCE_GROUP \
+        -n $CONTAINER_APP \
+        --environment $ENVIRONMENT \
+        --certificate $CERTIFICATE_LOWERCASE_NAME \
+        --validation-method <VALIDATION_METHOD>
+    ```
+
+    - If you're configuring an *A record*, replace `<VALIDATION_METHOD>` with `HTTP`.
+
+    - If you're configuring a *CNAME*, replace `<VALIDATION_METHOD>` with `CNAME`.
+
+    It might take several minutes to issue the certificate and add the domain to your container app.
+
+1. Once the operation is complete, navigate to your domain to verify that it's accessible.
+
+::: zone-end
 
 ## Managing certificates
 
diff --git a/articles/container-apps/custom-domains-managed-certificates.md b/articles/container-apps/custom-domains-managed-certificates.md
@@ -6,7 +6,7 @@ author: craigshoemaker
 ms.service: azure-container-apps
 ms.custom: build-2023, devx-track-azurecli, ignite-2024
 ms.topic: how-to
-ms.date: 09/19/2024
+ms.date: 01/14/2025
 ms.author: cshoe
 zone_pivot_groups: azure-cli-or-portal
 ---
@@ -18,7 +18,7 @@ Azure Container Apps allows you to bind one or more custom domains to a containe
 If you want to set up a custom domain using your own certificate, see [Custom domain names and certificates in Azure Container Apps](custom-domains-certificates.md).
 
 > [!NOTE]
-> If you configure a [custom environment DNS suffix](environment-custom-dns-suffix.md), you cannot add a custom domain that contains this suffix to your Container App.
+> If you configure a [custom environment DNS suffix](environment-custom-dns-suffix.md), you can't add a custom domain that contains this suffix to your Container App.
 
 ## Free certificate requirements
 
@@ -30,10 +30,11 @@ The requirements are:
 
 - Must have an A record for apex domains that points to your Container Apps environment's IP address.
 
-- Establish a CNAME record for subdomains that maps directly to the container app's automatically generated domain name. Mapping to an intermediate CNAME value blocks certificate issuance and renewal. Examples of CNAME values are traffic managers, Cloudflare, and similar services.
+- Establish a CNAME record for subdomains that maps directly to the container app's generated domain name. Mapping to an intermediate CNAME value blocks certificate issuance and renewal. Examples of CNAME values are traffic managers, Cloudflare, and similar services.
 
 > [!NOTE]
 > To ensure the certificate issuance and subsequent renewals proceed successfully, all requirements must be met at all times when the managed certificate is assigned.
+
 ## Add a custom domain and managed certificate
 
 ::: zone pivot="azure-portal"
@@ -98,7 +99,7 @@ Container Apps supports apex domains and subdomains. Each domain type requires a
 | Apex domain | A record | HTTP | An apex domain is a domain at the root level of your domain. For example, if your DNS zone is `contoso.com`, then `contoso.com` is the apex domain. |
 | Subdomain | CNAME | CNAME | A subdomain is a domain that is part of another domain. For example, if your DNS zone is `contoso.com`, then `www.contoso.com` is an example of a subdomain that can be configured in the zone. |
 
-1. Log in to Azure with the Azure CLI. 
+1. Log in to Azure with the Azure CLI.
 
     ```azurecli
     az login
@@ -110,46 +111,73 @@ Container Apps supports apex domains and subdomains. Each domain type requires a
     az extension add --name containerapp --upgrade
     ```
 
+1. Set the following environment variables. Replace the `<PLACEHOLDERS>` with your values.
+
+    ```azurecli
+    RESOURCE_GROUP = "<RESOURCE_GROUP>"
+    CONTAINER_APP = "<CONTAINER_APP>"
+    ENVIRONMENT = "<ENVIRONMENT>"
+    TARGET_PORT = "<TARGET_PORT>"
+    DOMAIN_NAME = "<DOMAIN_NAME>"
+    CERTIFICATE_LOWERCASE_NAME = "<CERTIFICATE_LOWERCASE_NAME>"
+    CERTIFICATE_LOCAL_PATH = "<CERTIFICATE_LOCAL_PATH>"
+    CERTIFICATE_PASSWORD = "<CERTIFICATE_PASSWORD>"
+    ```
+
+    - Replace `<CERTIFICATE_LOCAL_PATH>` with the local path of your certificate file.
+    - Replace `<CERTIFICATE_LOWERCASE_NAME>` with a lowercase certificate name that is unique within the environment.
+    - Replace `<TARGET_PORT>` with the port that your container app is listening on.
+
 1. Verify that your container app has HTTP ingress enabled.
 
     ```azurecli
-    az containerapp ingress show -n <CONTAINER_APP_NAME> -g <RESOURCE_GROUP_NAME>
+    az containerapp ingress show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP
     ```
 
     If ingress isn't enabled, enable it with these steps:
 
     ```azurecli
-    az containerapp ingress enable -n <CONTAINER_APP_NAME> -g <RESOURCE_GROUP_NAME> \
-            --type external --target-port <TARGET_PORT> --transport auto
+    az containerapp ingress enable \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        --type external \
+        --target-port $TARGET_PORT \
+        --transport auto
     ```
 
-    Replace `<CONTAINER_APP_NAME>` with the name of your container app, `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app, and `<TARGET_PORT>` with the port that your container app is listening on.
-
 1. If you're configuring an apex domain, get the IP address of your Container Apps environment.
 
     ```azurecli
-    az containerapp env show -n <ENVIRONMENT_NAME> -g <RESOURCE_GROUP_NAME> -o tsv --query "properties.staticIp"
+    az containerapp env show \
+        -n $ENVIRONMENT \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.staticIp"
     ```
 
-    Replace `<ENVIRONMENT_NAME>` with the name of your environment, and `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your environment.
-
 1. If you're configuring a subdomain, get the automatically generated domain of your container app.
 
     ```azurecli
-    az containerapp show -n <CONTAINER_APP_NAME> -g <RESOURCE_GROUP_NAME> -o tsv --query "properties.configuration.ingress.fqdn"
+    az containerapp show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.configuration.ingress.fqdn"
     ```
 
-    Replace `<CONTAINER_APP_NAME>` with the name of your container app, and `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app.
-
 1. Get the domain verification code.
 
     ```azurecli
-    az containerapp show -n <CONTAINER_APP_NAME> -g <RESOURCE_GROUP_NAME> -o tsv --query "properties.customDomainVerificationId"
+    az containerapp show \
+        -n $CONTAINER_APP \
+        -g $RESOURCE_GROUP \
+        -o tsv \
+        --query "properties.customDomainVerificationId"
     ```
 
-    Replace `<CONTAINER_APP_NAME>` with the name of your container app, and `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app.
-
-1. Using the DNS provider that is hosting your domain, create DNS records based on the record type you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you are using custom domains with the private endpoint (preview) feature:
+1. Using the DNS provider that is hosting your domain, create DNS records based on the record type you selected using the values shown in the *Domain validation* section. The records point the domain to your container app and verify that you own it. The setup depends on whether you're using custom domains with the private endpoint (preview) feature:
 
     # [General](#tab/general)
     
@@ -166,10 +194,10 @@ Container Apps supports apex domains and subdomains. Each domain type requires a
         |--|--|--|
         | CNAME | The subdomain (for example, `www`) | The generated domain of your container app. |
         | TXT | `asuid.` followed by the subdomain (for example, `asuid.www`) | The domain verification code. |
-    
+
     # [Private endpoint](#tab/private-endpoint)
 
-    When using a private endpoint for your incoming traffic, you need to [create a private DNS zone](how-to-use-private-endpoint.md#configure-the-private-dns-zone).    
+    When using a private endpoint for your incoming traffic, you need to [create a private DNS zone](how-to-use-private-endpoint.md#configure-the-private-dns-zone).
 
     - If you selected *A record*, create the following DNS records:
 
@@ -190,20 +218,25 @@ Container Apps supports apex domains and subdomains. Each domain type requires a
 1. Add the domain to your container app.
 
     ```azurecli
-    az containerapp hostname add --hostname <DOMAIN_NAME> -g <RESOURCE_GROUP_NAME> -n <CONTAINER_APP_NAME>
+    az containerapp hostname add \
+        --hostname $DOMAIN_NAME \
+        -g $RESOURCE_GROUP \
+        -n $CONTAINER_APP
     ```
 
-    Replace `<DOMAIN_NAME>` with the domain name you want to add, `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app, and `<CONTAINER_APP_NAME>` with the name of your container app.
-
 1. Configure the managed certificate and bind the domain to your container app.
 
     ```azurecli
-    az containerapp hostname bind --hostname <DOMAIN_NAME> -g <RESOURCE_GROUP_NAME> -n <CONTAINER_APP_NAME> --environment <ENVIRONMENT_NAME> --validation-method <VALIDATION_METHOD>
+    az containerapp hostname bind \
+        --hostname $DOMAIN_NAME \
+        -g $RESOURCE_GROUP \
+        -n $CONTAINER_APP \
+        --environment $ENVIRONMENT \
+        --validation-method <VALIDATION_METHOD>
     ```
 
-    Replace `<DOMAIN_NAME>` with the domain name you want to add, `<RESOURCE_GROUP_NAME>` with the name of the resource group that contains your container app, `<CONTAINER_APP_NAME>` with the name of your container app, and `<ENVIRONMENT_NAME>` with the name of your environment.
-
     - If you're configuring an *A record*, replace `<VALIDATION_METHOD>` with `HTTP`.
+
     - If you're configuring a *CNAME*, replace `<VALIDATION_METHOD>` with `CNAME`.
 
     It might take several minutes to issue the certificate and add the domain to your container app.
