![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 18%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Internet Information Services
Microsoft web server software.
1,622 questions
Hello @Veera ,
I understand that you are getting the following error when trying to setup your Application gateway listener to HTTPS - "The Common Name of the leaf certificate presented by the backend server does not match the Probe or Backend Setting hostname of the application gateway".
I checked the PDF you shared, and I could see the backend health is returning a 400 HTTP status code.
HTTP 400 response codes are commonly observed when:
- Non-HTTP / HTTPS traffic is initiated to an application gateway with an HTTP or HTTPS listener.
- HTTP traffic is initiated to a listener with HTTPS, with no redirection configured.
- Mutual authentication is configured and unable to properly negotiate.
- The request isn't compliant to RFC.
Refer: https://learn.microsoft.com/en-us/azure/application-gateway/http-response-codes#400--bad-request
So, requested you to check the reasons listed in the above document to validate that you are not hitting any of them.
If all the above checks out, then try to setup the custom health probe as below and try again:
And set "override hostname" in the Backend Setting to NO.
You confirmed that the above custom health probe setting works but have doubts regarding the limits as you have 150 HTTPS sites,
Looking at your issue, I would like to share the below points:
As mentioned in the below troubleshooting document; to fix the Common Name (CN) mismatch issue, you should do the following:
- If you’re using a Default Probe – You can specify a hostname in the associated Backend setting of your application gateway. You can select “Override with specific hostname” or “Pick hostname from backend target” in the backend setting.
- If you’re using a Custom Probe – For Custom Probe, you can use the “host” field to specify the Common Name of the backend server certificate. Alternatively, if the Backend Setting is already configured with the same hostname, you can choose “Pick hostname from backend setting” in the probe settings.
- You tried the first solution, but it failed:
https://site01.domain.com -> appgw listener-https (*.domain.com) -> backend setting (Override with new host name:yes, Override with specific domain name hostname *.domain.com) -> backend health is failing
This could be failing because the default probe is marking the backend as unhealthy due to the probe failure.
The default probe looks only at <protocol>://127.0.0.1:<port> to determine health status.
So, if you're using host-headers and SNI on HTTPS bindings and you do not receive a response and certificate from a manual browser request to https://127.0.0.1/ on the backend servers, you must set up a default TLS binding on them. If you do not do so, probes fail, and the back end is not allowed.
- The second solution is the one I shared above.
When a backend server has a wildcard certificate (*.contoso.com) installed to serve different sub-domains, you can use a Custom probe with a specific hostname (required for SNI) that is accepted to establish a successful TLS probe and report that server as healthy. With "override hostname" in the Backend Setting set to NO, the different incoming hostnames (subdomains) will be passed as is to the backend.
The following works, but for each site, we need specific settings and probes, and we have over 150 HTTPS sites, with a limit of 100 backend settings and health probes in APPGW. <---- You don't have to add custom health probe for each sub-domain. You can create a single custom health probe with site01.domain.com and associate it to the single wildcard listener and backend setting and this should work.
This is mentioned in the below document:
For backend health check, you can't associate multiple custom probes per HTTP settings. Instead, you can probe one of the websites at the backend or use "127.0.0.1" to probe the localhost of the backend server. However, when you're using wildcard or multiple host names in a listener, the requests for all the specified domain patterns are routed to the backend pool depending on the rule type (basic or path-based).
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.