HTTPS with Custom Domain Not Working on Azure APIM Self-Hosted Gateway

Question

Hello everyone,

I'm having trouble getting HTTPS to work with my custom domain on a self-hosted gateway for Azure API Management.

My setup:

• Self-hosted gateway running in a Docker container (on Ubuntu Server, UFW Disabled).
• Custom domain configured in the Azure portal: my_custom_domain.com.br.
• Wildcard .pfx certificate (*.my_custom_domain.com.br) associated with this hostname in the portal.
• HTTP works fine with the custom domain.
• Accessing via HTTPS using the host IP address (https://my_host_ip:443) works.
• However, accessing via HTTPS with the custom domain (https://my_custom_domain.com.br) results in the error: Error: Client network socket disconnected before secure TLS connection was established (or [mention any specific browser error]).

What I've done so far:

• Verified that "Negotiate client certificate" is disabled for this hostname in the portal.
• Confirmed the .pfx file contains the certificate, private key, and the full chain (including intermediates and root).Hello everyone, I'm having trouble getting HTTPS to work with my custom domain on a self-hosted gateway for Azure API Management. My setup:
  • Self-hosted gateway running in a Docker container (on [Specify your host OS, e.g., Ubuntu]).
  • Custom domain configured in the Azure portal: my_custom_domain.com.br.
  • Wildcard .pfx certificate (*.my_custom_domain.com.br) associated with this hostname in the portal.
  • HTTP works fine with the custom domain.
  • Accessing via HTTPS using the host IP address (https://my_host_ip:443) works.
  • However, accessing via HTTPS with the custom domain (https://my_custom_domain.com.br) results in the error: Error: Client network socket disconnected before secure TLS connection was established (or [mention any specific browser error]).
  What I've done so far:
  • Verified that "Negotiate client certificate" is disabled for this hostname in the portal.
  • Confirmed the .pfx file contains the certificate, private key, and the full chain (including intermediates and root).
  • • Postman
  Browser

Answer 1

Hi Rafael Ferreira Gaspar,

It sounds like an SNI (Server Name Indication) issue, where the self-hosted gateway isn't presenting the correct certificate for my_custom_domain.com.br over HTTPS, even though other connections work.

Here’s a focused approach:

Azure Portal: Check Hostname & Certificate:

Go to APIM > Gateways > [Your Self-Hosted Gateway] > Hostnames.

Ensure my_custom_domain.com.br is listed and your wildcard certificate (*.my_custom_domain.com.br) is explicitly selected and saved for this hostname. This is the most common fix.

Gateway Logs for Errors:

When you attempt https://my_custom_domain.com.br, immediately check the gateway container logs:

<span style="font-size:inherit">docker logs <your_gateway_container_name_or_id></span>

Look for TLS handshake, certificate, or SNI errors.

Test Certificate with openssl s_client:

This tool reveals what certificate the gateway presents for your domain:

<span style="font-size:inherit">openssl s_client -connect my_custom_domain.com.br:443 -servername my_custom_domain.com.br</span>

Verify the correct certificate is shown. Note any errors. The error "Client network socket disconnected..." suggests the gateway might be closing the connection if it can't find a matching cert for the SNI.

Gateway Configuration Sync & Restart:

Ensure the gateway can sync with Azure (outbound port 443 to *.configuration.azure-api.net).

After verifying portal settings, a gateway restart (docker restart <container_id>) can help apply changes.

Reference Docs:

Configure custom domain for self-hosted gateway

Self-hosted gateway overview

Please let me know incase of further queries, I would be happy to assist you.