Health probe and Wildcard certificate

Antonio Valenzuela 20 Reputation points
2023-07-10T21:18:04.4+00:00

I appreciate guidance. Suggest improvements so that the health probe does not evaluate matches between the FQDN of the Backend App-Gw and the CN of the Wildcard certificate.

"The Common Name of the leaf certificate presented by the backend server does not match the Probe or Backend Setting hostname of the application gateway."

Backend pool host.domain.com vs CN *.domain.com

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
914 questions
0 comments No comments
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 20,606 Reputation points Microsoft Employee
    2023-07-11T02:54:29.99+00:00

    @Antonio Valenzuela

    Welcome to the Microsoft Q&A forum.

    If I understand it correctly you are getting the following error for App Gatwy health probe "The Common Name of the leaf certificate presented by the backend server does not match the Probe or Backend Setting hostname of the application gateway."

    Based on the troubleshooting documentation here

    Cause: This occurs when you have selected HTTPS protocol in the backend setting, and neither the Custom Probe’s nor Backend Setting’s hostname (in that order) matches the Common Name (CN) of the backend server’s certificate.

    Solution: The hostname information is critical for backend HTTPS connection since that value is used to set the Server Name Indication (SNI) during TLS handshake. You can fix this problem in the following ways based on your gateway’s configuration.

    For V2,

    • If you’re using a Default Probe – You can specify a hostname in the associated Backend setting of your application gateway. You can select “Override with specific hostname” or “Pick hostname from backend target” in the backend setting.
    • If you’re using a Custom Probe – For Custom Probe, you can use the “host” field to specify the Common Name of the backend server certificate. Alternatively, if the Backend Setting is already configured with the same hostname, you can choose “Pick hostname from backend setting” in the probe settings.

    Hope this helps! Please let me know if you have additional questions or if the solution above is not working for you. Thank you!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful