Unable to use a sub domain for Azure API Management

Question

Is it possible to use more than one level of sub domain when creating a CNAME for Azure API Management?

I have a domain set up in Azure as follows;

mydomain.com        <- main web site as an Azure web app
api.mydomain.com    <- API managed by Azure API Mgmt
portal.mydomain.com <- Portal managed by Azure API Mgmt

This works fine, but we'd like to set up a structured test sub domain as follows;

test.mydomain.com        <- main web site as an Azure web app
api.test.mydomain.com    <- API managed by Azure API Mgmt
portal.test.mydomain.com <- Portal managed by Azure API Mgmt

We have created the test.mydomain.com web app fine, but Azure API Management will not let us use the sub domain api.test or portal.test.

The error it generates is;

{"code":"InvalidOperation","message":"Certificate '933EDADD0C4037F6A0C02D38DFD5AF4A76FXXXXX' is invalid. Domain name: api.test.mydomain.com","details":null,"innerError":null}

This goes away if we use a single host (for example, apitest without the dot instead of api.test).

Our CNAMES are set up as follows.

api mydomainapi.azure-api.net
api.test mydomaintestapi.azure-api.net
portal.test mydomaintestapi.azure-api.net

I've tried all kinds of jiggery pokery with the awverify abominations and we have been able to host web apps using those custom domains, just not Azure API endpoints.

Answer 1

Looks like you are trying to use SSL certificate with subject name *.mydomain.com? If yes, then the error is expected as SSL wildcard certificate for *.mydomain.com will match apitest.mydomain.com but will not match api.test.mydomain.com. This is nothing to do with APIM specifically, this is how cert subject name matching rules are defined/implemented.

Here is one explanation regarding the same wildcard ssl on sub-subdomain

You can either get new certificate or add *.test.mydomain.com in SAN for the same certificate then same SSL cert will work for all 3 of your urls.