Apex domain stuck in “Validating” for 18+ hours and Azure serving wrong certificate for klupar.com

[TrackDaddy5]

Static Web App resource:
klup-web
Subscription: 4e2e26e9-73b1-40bd-bebd-0047369d17f1

Region:
West US 2

Summary
My apex domain klupar.com has been stuck in “Validating” for ~18 hours.
I was able to get it to validate once, but Azure still served the wrong certificate (CN did not include klupar.com). After removing and re‑adding the domain twice, it is stuck in “Validating” again.

This appears to be a stale certificate issuance or binding issue on Azure’s side.

DNS Configuration (Cloudflare)
All DNS records are correct and DNS‑only (no proxy):

A     klupar.com     20.42.128.101     DNS only
TXT   _asuid         "_fcbfqou2ym2yu4b9w3spjgyz9y9blqj"     DNS only
CAA   @              0 issue "digicert.com"
Cloudflare proxy is disabled.
CAA record added to allow DigiCert.

Observed Behavior
Running:
curl -v https://klupar.com

Returns:

SEC_E_WRONG_PRINCIPAL - The target principal name is incorrect.

Azure is serving a certificate whose CN/SAN does not include klupar.com.

This indicates that:

• domain validation succeeded at least once
• but certificate issuance or binding failed
• and the CDN edge is still serving the default certificate

What I’ve already tried

• Removed and re‑added the apex domain twice
• Recreated the TXT _asuid record
• Waited 10–15 minutes between attempts
• Confirmed DNS propagation
• Confirmed correct A record
• Confirmed Cloudflare proxy is off
• Added DigiCert CAA record
• Verified that curl still shows wrong certificate

Expected Behavior
Azure should:

• Validate the TXT record
• Issue a certificate for klupar.com
• Deploy the certificate to the CDN edge
• Serve the correct certificate

Request
Please clear the stale certificate order for klupar.com, force a new validation, and re‑issue + bind the correct certificate.

This appears to be the known SWA apex-domain certificate binding issue.

Thank you.