Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,217 questions
Do we know when this will GA?
Azure Application Gateway Wildcard
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 97%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
Pascal Dittmer
1
Reputation point
I want to configure an Application Gateway with multiple sites.
x1.contoso.com
x2.contoso.com
x3.contoso.com
...
I have a wildcard certificate for *.contoso.com
I only get a single subdomain to work when I set the custom hostname in the HTTP-Settings for example to x1.contoso.com. The Listener is configured for multisite and the hostnames with *.contoso.com. They all point to the same VM (CentOS, Apache)
The backend health check says that the CN of the backend cert does not match the host header in the health probe. But even if I put *.contoso.com as custom hostname in the HTTPS-Settings, or create a custom probe, no change. I read that my wildcard could need SANs, but that would make no sense, because I would need a new cert erverytime I want to add a new subdomain right? How can I get this to work?
Maybe you can help me.
Pascal
Azure Application Gateway
{count} votes
-
Saroj Kumar Pradhan 1 Reputation point2020-07-22T14:48:28.49+00:00 Have you tried the option "Pick host name from backend target" option in your HTTP Setting? https://learn.microsoft.com/en-us/azure/application-gateway/configuration-overview
-
Pascal Dittmer 1 Reputation point
2020-07-22T20:23:18.993+00:00 Thank you for your response. I tried it already, unfortunately no change.
Sign in to comment
5 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 79%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jim M 146 Reputation points2021-05-18T08:58:44.51+00:00 I have a similar issue. I just have a single backed server in a pool - host.here.com. That server is installed with a wildcard cert which has the CN here.com. I have configured app gateway for multi site and i have tried overriding the hostname with 'host.here.com' in the http setting. But it still complains that the CN in the certificate does not match my host name.
It would be nice if app gateway had a setting to make it accept any backend server cert, regardless of mismatch.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 89%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sadaf M 1 Reputation point2021-05-27T02:22:59.183+00:00 You need wildcard SSL to use on subdomains.
Sign in to comment -
-
Jim M 146 Reputation points
2021-05-27T02:45:37.323+00:00 I found the issue. Whilst the backend server was presenting the required cert, it was not presenting the full cert chain. Therefore AGW is unhappy with the cert. Once the backend server config was corrected, all came good.
-
dcvander 6 Reputation points2021-06-05T15:11:09.633+00:00 JimM - I'm strangely having this same problem and was curious if you could elaborate what you did on the backend. I have a wildcard GoDaddy certificate and the HTTP Settings are using the Well Known CA option (i've tried adding the Root chain manually on the AGW but i think you are right its a backend problem) so like you i'm getting this CN validation issue. Interestingly this doesn't happen with Digicerts. How did you configure the backend to properly present the full cert chain?
Sign in to comment -
-
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator2020-07-29T09:57:15.78+00:00 Hello @Diddy512-6008 ,
Wildcard host names in listeners for Application Gateway v2 is currently in public preview! You can configure host names with wildcard characters (* and ?) and up to 5 host names per listener with comma separated values.
Using a wildcard character in the host name, you can match multiple host names in a single listener. For example, *.contoso.com can match with ecom.contoso.com, b2b.contoso.com as well as customer1.b2b.contoso.com and so on.
Please refer : https://learn.microsoft.com/en-us/azure/application-gateway/multiple-site-overview#wildcard-host-names-in-listener-preview
Kindly let us know if the above helps or you need further assistance on this issue.
Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.
-
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
2020-07-30T12:28:25.333+00:00 Hello @Diddy512-6008 ,
Any update on this post?
If the suggested response helped you resolve your issue, please don't forget to "Accept the answer" for the benefit of other community members.
Thanks,
Gita -
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
2020-08-03T12:25:21.437+00:00 -
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
2020-08-04T13:03:41.007+00:00 Hello @Pascal Dittmer ,
Just checking in to see if the above answer helped. If this answers your query, do click “Please accept as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,
Gita -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 74%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Menon, Pradeep 1 Reputation point2020-12-02T17:01:56.74+00:00 Do you know , when this will be on GA?
Sign in to comment -
-
KoenTee 6 Reputation points2021-07-01T12:26:24.217+00:00 I'm equally interested to learn what you did on your backend server config.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 11%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Andreas Steiner 5 Reputation points2023-05-16T19:16:25.2466667+00:00 An older post, but maybe someone laded here as I did... I managed to get it work by adding a custom probe to the default website with a binding on port 443 that has a hostheader matching the wildcard (servername.<wildcard-domain>)
For me the GoDaddy Wildcard was recognized a "well known CA certificate"
Sign in to comment -