CN of backend server certificate does not match the host header in health probe configuration

Pratik Shinde 6 Reputation points

I have configured self signed domain root certificate to the application gateway in listener setting. the same certificate used for Web hosting on IIS server.

CN of backend server certificate does not match the host header in health probe configuration
The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate.

Tried all solutions from support documents. Also creation of certificate also done as per microsoft documentation.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
970 questions
Azure Web Application Firewall
{count} vote

2 answers

Sort by: Most helpful
  1. Pratik Shinde 6 Reputation points

    I have followed the steps, but it was not working anyhow. so, proceed with external certificate authority.
    As per SOPs given, it should work with self-signed certificate.

    0 comments No comments

  2. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee

    Hello @Pratik Shinde ,

    Thank you for the update.

    I understand that you have configured a self signed domain root certificate to your application gateway in listener setting but receiving a Common Name (CN) mismatch error in the backend health.

    You already tried the troubleshooting steps from the below doc but it didn't help:

    Requested you to follow the steps advised in the below thread and you mentioned that it didn't work for you, so you proceeded with external certificate authority.

    Self-signed certificates are indeed supported in Azure Application gateway but you need to consider some points.
    I'm not sure which Application gateway SKU you are using. So, sharing both SKU considerations:

    End-to-end TLS with the v1 SKU:

    • Self-signed certificates are for test purposes only and not recommended for production workloads. Such certificates must be allow-listed with the application gateway before they can be used.
    • If the backend pool address is an IP address, SNI (server_name) won’t be set.
      Note: In this case, the backend server should be able to return a default/fallback certificate and this should be allow-listed in HTTP settings under authentication certificate. If there’s no default/fallback certificate configured in the backend server and SNI is expected, the server might reset the connection and will lead to probe failures.

    End-to-end TLS with the v2 SKU:

    • If the backend server certificate is self-signed, or signed by unknown CA/intermediaries, then to enable end to end TLS in Application Gateway v2 a trusted root certificate must be uploaded. Application Gateway will only communicate with backends whose server certificate’s root certificate matches one of the list of trusted root certificates in the backend http setting associated with the pool.
    • In addition to the root certificate match, Application Gateway v2 also validates if the Host setting specified in the backend http setting matches that of the common name (CN) presented by the backend server’s TLS/SSL certificate. When trying to establish a TLS connection to the backend, Application Gateway v2 sets the Server Name Indication (SNI) extension to the Host specified in the backend http setting.
    • The certificate on the listener requires the entire certificate chain to be uploaded (the root certificate from the CA, the intermediates and the leaf certificate) to establish the chain of trust.
    • It is also recommended that the backend server certificate contain both the root and intermediate CAs.

    Refer :

    If everything seems to be correct on your end post following the above considerations, then it may require a deeper investigation. Hence, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments