# azure


01/29/2024, 2:24 PM
I have this code snippet in place:
Copy code
var certificateName = ResourceName("certificate");
        var managedCertificate = new Certificate(certificateName, new CertificateArgs
            Location = location,
            ResourceGroupName = resourceGroup.Name,
            HostNames = new [] { customDomainName },
            CanonicalName = customDomainName,
            ServerFarmId = appService.ServerFarmId!

        var customDomainBindingName = ResourceName("customDomainBinding");
        var customHostNameBinding = new WebAppHostNameBinding(customDomainBindingName, new WebAppHostNameBindingArgs
            Name = appService.Name,
            ResourceGroupName = resourceGroup.Name,
            SiteName = appService.Name,
            HostName = customDomainName,
            SslState = SslState.SniEnabled,
            Thumbprint = managedCertificate.Thumbprint
But i get the following error when running pulumi up: error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Properties.CanonicalName is invalid. Certificate creation requires hostname XXX added to an App Service in the serverFarm /subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.Web/serverfarms/XXX." It works only if I first deploy the custom domain binding without the certificate, and then add the certificate in a new run...


01/30/2024, 6:58 PM
It's a known problem – there's a cyclic dependency in the Azure API itself so this isn't possible in a single run without some kind of hacks. Cert creation depends on custom domain to be deployed and to update the SSL binding on the custom domain it needs to know the cert thumbprint.
Pulumi has explored some possible solutions that might be implemented in the future:


01/31/2024, 11:47 AM
Thank you for the detailed info!