Based on the documentation I've read, the "Denied" status should only happen if the domain fails to verify.

But clearly the verification passed so I'm not sure what else to do. Attempting to follow the sub-steps under the Assign step just leads to errors related to the cert being in the "Denied" state still.

CodePudding user response：

This happens when Domain verification for the certificate is not completed in 45 days causing the certificate to be in denied state. The Certificate will not be billed.

Suggestion is to delete the certificate and request a new certificate.

Also note that: For a Standard certificate, the certificate provider gives you a certificate for the requested top-level domain and its www subdomain (for example, contoso.com and www.contoso.com). However, beginning on December 1, 2021, a restriction is introduced on the App Service and the Manual verification methods. Both of them use HTML page verification to verify domain ownership. With this method, the certificate provider is no longer allowed to include the www subdomain when issuing, rekeying, or renewing a certificate.

The Domain and Mail verification methods continue to include the www subdomain with the requested top-level domain in the certificate.

see: FAQ SSL certificates for Web Apps and App Service Certificates

Check this official document: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex,portal#import-an-app-service-certificate

CodePudding user response：

In this case, the issue was not domain verification as stated in the other answer here and in the documentation, but was a misconfigured CAA record on the DNS.

For wildcard certs you need to have an

0 issuewild godaddy.com

record on the root domain - not on a star (*) domain.