Share via

Backend pools show as unhealthy in azure application gateway

kumar kaushal 176 Reputation points
2021-12-16T13:41:24.477+00:00

I am 3 backend pools . And each pool has 2 servers . One pool has 2 servers listed as unhealthy and the error message we see is below:

"backend server certificate is not whitelisted with application gateway .Make sure that the certificate uploaded to the application gateway matches with the certificate configured in the backend servers. To learn more visit https://aka.ms/authcertificatemismatch"

I have some questions in regards to application gateway and need help with the same :

1)Is that application gateway can be configured with multiple backend pools and each pool can serve a request for different applications ?

or is that all the backend pools has to serve the request for one application ?

2)How should we get this issue fixed ? I did not find this error message listed here https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting

Is that we have to follow the below step for resolution ?

Trusted root certificate mismatch
Message: The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to allowlist the backend.

Cause: End-to-end SSL with Application Gateway v2 requires the backend server's certificate to be verified in order to deem the server Healthy. For a TLS/SSL certificate to be trusted, the backend server certificate must be issued by a CA that's included in the trusted store of Application Gateway. If the certificate wasn't issued by a trusted CA (for example, a self-signed certificate was used), users should upload the issuer's certificate to Application Gateway.

The certificate that has been uploaded to Application Gateway HTTP settings must match the root certificate of the backend server certificate.

Solution: If you receive this error message, there's a mismatch between the certificate that has been uploaded to Application Gateway and the one that was uploaded to the backend server.

Follow steps 1-11 in the preceding method to upload the correct trusted root certificate to Application Gateway.

For more information about how to extract and upload Trusted Root Certificates in Application Gateway, see Export trusted root certificate (for v2 SKU).

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
975 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andriy Bilous 10,996 Reputation points MVP
    2021-12-16T15:01:39.927+00:00
    0 comments
  2. Einaras Mockaitis 1 Reputation point
    2022-03-29T13:32:33.86+00:00

    I have tried to upload root CA instead of using well-known CA and the issue persist. I have two listeners and my issue has started on one of them when SSL certificate has been renewed. The other one which certificate is still valid and does not need renewal is green. Have raise case with Microsoft as unable to resolve that myself.

    0 comments
  3. Einaras Mockaitis 1 Reputation point
    2022-03-30T07:34:53.367+00:00

    Have done s_client -connect backend_ip:443 -servername backend_url -showcerts and found that Root CA is missing.