![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 30%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 48%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hello Joshua,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
It sounds like you're hitting a snag with your Application Gateway's backend health due to a missing intermediate certificate. Here's how you might go about resolving this:
Steps to Troubleshoot:
- Certificate Chain Validation:
- Make sure that the certificate chain is complete on your backend server. This means that if you have a self-signed certificate, also ensure that the intermediate certificates (if any) are correctly installed on the backend server. The chain should include the root CA, the intermediate CA(s), and finally your server certificate.
- Intermediate Certificates:
- If you generated the certificate yourself, ensure that you have exported the intermediate certificate properly. Often, self-signed certificates are only the leaf (server) certificate, missing the necessary intermediates that form the complete chain.
- Reconfigure the Backend Settings:
- In the Application Gateway configuration, double-check your backend HTTP settings. Ensure that the correct protocol (HTTPS) and port (default is 443) are being used, and that SSL settings are properly configured.
- Health Probes:
- Verify that your health probe settings are correctly set to use HTTPS and that you have specified the right host name or path that the probe should check. You can access the health probe settings through the Azure portal under the Application Gateway resources.
- Diagnostics:
- Use the Application Gateway diagnostics to run a health check on your backend pool. You can access this through the 'Backend health' tab in the Azure portal. This will provide insights if there are any specific misconfigurations or certificate issues.
- Use Command Line:
- You can also utilize Azure CLI or Azure PowerShell to check backend health for more detailed diagnostics. For example:
- Azure CLI:
az network application-gateway show-backend-health --resource-group <YourResourceGroup> --name <YourGatewayName> - PowerShell:
Get-AzApplicationGatewayBackendHealth -Name <YourGatewayName> -ResourceGroupName <YourResourceGroup>
- Azure CLI:
- You can also utilize Azure CLI or Azure PowerShell to check backend health for more detailed diagnostics. For example:
Additional Considerations:
- Ensure there are no network security groups (NSGs) or routing problems that might be blocking the communication between the Application Gateway and your backend server.
- If you are using a self-signed certificate for a production environment, you might want to consider transitioning to using a certificate issued by a trusted certificate authority for better security and compatibility.
I hope these steps help you get your Application Gateway up and running! If you have any more questions, feel free to ask.