@Jan Vávra Thank you for your question, please can you share a screenshot of your backend pool, HTTPS Settings and probe configuration with us?
Application Gateway Probe gives false negative
After defined the probes at App Gateway with SKU Standard V2 I've got:
The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate
But If I have looked at IIS log at backend servers I could see
Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2022-06-20 13:52:12 10.0.0.4 GET /status.php - 443 - 10.0.1.5 - - - agw.mydomain.cz 200 0 0 423
2022-06-20 13:52:12 10.0.0.4 GET /status.php - 443 - 10.0.1.7 - - - agw.mydomain.cz 200 0 0 409
At the frontend user side everything works and in the iis log I can see a row with filled in user agent (Edge)
2022-06-20 13:52:09 10.0.0.4 GET /whoami.php - 443 - 10.0.1.5 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/102.0.5005.124+Safari/537.36+Edg/102.0.1245.44 ApplicationGatewayAffinityCORS=1f2ecc2258faf740ac14c6b38debac38;+ApplicationGatewayAffinity=1f2ecc2258faf740ac14c6b38debac38 https://agw.mydomain.cz/whoami.php agw.mydomain.cz 200 0 0 399
I've also tried from backend servers with IPs 10.0.0.4, 10.0.0.5 do an openssl check:
openssl s_client -connect 10.0.0.5:443 -tls1_2 -servername agw.mydomain.cz -showcerts
and from 2 to 1
openssl s_client -connect 10.0.0.4:443 -tls1_2 -servername agw.mydomain.cz -showcerts
And got the proper certificate.
I think this is a bug.
6 answers
Sort by: Most helpful
-
Tchimwa Sougang 946 Reputation points Microsoft Employee
2022-06-20T17:56:31.187+00:00 -
Lynn Niu 236 Reputation points
2022-06-21T09:31:34.297+00:00 If you use custom certificate, do you upload your ca certificate to backend settings?
-
Jan Vávra 341 Reputation points
2022-06-21T13:44:24.4+00:00 Hello, probes test result is:
Probe configuration is (mydomain is n real .602.cz, I've changed my first post):
Http settings is as follows. myHTTPSetting7d6847c9-93aa-43c1-925c-03915290907b represents our authority Software602 Root CA, see attached list.json as a result of:
az network application-gateway list -g agwrg > list.json
I wasn't allowed to upload this file, so I've placed it at https://cloud.602.cz/index.php/s/r6aoAXefWXXqSEy
backend pool is
-
Tchimwa Sougang 946 Reputation points Microsoft Employee
2022-06-21T17:24:06.413+00:00 Okay from the probes, we are clearly see that you're using agw.602.cz as hostname for the probe. Please can you confirm what is the Common Name on the certfificate installed on your backend servers? If it is different than agw.602.cz, it is normal that you are having this error.
-
Jan Vávra 341 Reputation points
2022-06-22T10:31:14.807+00:00 The certicate on backend server is
openssl s_client -connect 10.0.0.4:443 -servername agw.602.cz -showcerts
-----BEGIN CERTIFICATE-----
MIIGYDCCBEigAwIBAgICWgwwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNVBAYTAkNa
MRcwFQYDVQQIEw5DemVjaCBSZXB1YmxpYzEnMCUGA1UEBxQeSG9ybm9rcmNza2Eg
MTU7IDE0MCAwMCBQcmFoYSA0MScwJQYDVQQKFB5Tb2Z0d2FyZTYwMiBhLnMuIFtJ
QyA2MzA3ODIzNl0xHDAaBgNVBAMTE1NvZnR3YXJlNjAyIFJvb3QgQ0EwHhcNMjIw
NjIwMTAzOTA0WhcNMjMwNjIwMTAzOTA0WjA+MQswCQYDVQQGEwJDWjEaMBgGA1UE
CAwRxIxlc2vDoSByZXB1Ymxpa2ExEzARBgNVBAMMCmFndy42MDIuY3owggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCb7B4maNoQ/j2usr/YFdF7kt3K/CI2
AIUUAcjibAMNETdD37YoDsV/Ynqwe3DhBunjjHB504YbwNJkq0P9BuxdZ+wXeMIg
kT/sgzp0OZVDqpBgQyKFMzqAtMy9wef28JWt7gWJEapbpLq0IrgnkmIj/jQqepkK
soH81v1ap9ahvyuyLuCzmWL4XEPd3WkiCISw/6We78pw4EX2iKYQChBznsqWmvo8
fCi0Fdashrql/xL4Wj1MBD9IzNNt/TvkZC/eOfP9WOErdf/GYFYSneBOFIq766tY
4Ao7qDwiRbktpvL7SZyfQuE/fjhE81OC1fagY0WYB7J8lNoTh/Nie9/RAgMBAAGj
ggINMIICCTCBywYDVR0jBIHDMIHAgBTMS8k0Um/V/SYot+e4KQ4iOxW2EKGBnKSB
mTCBljELMAkGA1UEBhMCQ1oxFzAVBgNVBAgTDkN6ZWNoIFJlcHVibGljMScwJQYD
VQQHFB5Ib3Jub2tyY3NrYSAxNTsgMTQwIDAwIFByYWhhIDQxJzAlBgNVBAoUHlNv
ZnR3YXJlNjAyIGEucy4gW0lDIDYzMDc4MjM2XTEcMBoGA1UEAxMTU29mdHdhcmU2
MDIgUm9vdCBDQYIJAPOGts1i7uL3MB0GA1UdDgQWBBR2X6SizjMeOJJ1+x0FM0Nn
x2vrgTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DB6BggrBgEFBQcBAQRu
MGwwMAYIKwYBBQUHMAKGJGh0dHA6Ly9jYS42MDIuY3ovY3J0L3N3NjAycm9vdGNh
LmNydDA4BggrBgEFBQcwAoYsaHR0cDovL2NhLnNvZnR3YXJlNjAyLmN6L2NydC9z
dzYwMnJvb3RjYS5jcnQwaQYDVR0fBGIwYDAqoCigJoYkaHR0cDovL2NhLjYwMi5j
ei9jcmwvc3c2MDJyb290Y2EuY3JsMDKgMKAuhixodHRwOi8vY2Euc29mdHdhcmU2
MDIuY3ovY3JsL3N3NjAycm9vdGNhLmNybDAVBgNVHREEDjAMggphZ3cuNjAyLmN6
MA0GCSqGSIb3DQEBCwUAA4ICAQB1TfD/l6e8orwkuJRDJtuSnzI7+adb3TKk7GWP
gOKJ6atm/KfVFuDAqntEJqVXDxjh/eCChr5GGldSwd9/BQRNhUOlGi2JdWS4jjet
I1hX6lpB0+1vC7a8x3X6FINvYie63CeO22rO46d0sN5bWC2Do3qymbhxlLkui2zS
xhtal15awLQ1ROH/JyuDUVM5UQ+FgGNzmmJzwe9NmVlKojL6ANlDOidbTV6WAjKT
weryilZ5SwreNjw936ZEZE0Xa4Nb2+msf/fT4E4/QKtGyxBrBp/trFy6j/pRw1Mh
StWQAtKzVtxcVOcBVDSLSlSdP6w+bOxjSLJbMnWal5dXs2BSwxYZ+Ops9RBAT0wX
De0lXG39KZxy1vU77vVM+OmyB5qkgnIz7nfgWl3dUUDw7Znk5kLLhdACnlajHAGG
YZzkiUsG5mkaXb2ipxQNHf8Z/Tti2k1sBV3wu/9sBd4mAHkJPvbQOcUpkLZ3LLx/
7pA59QoO926jWhhnfvZiXnhPSV+xOVHy+5FnvyxLpmDRydXKUGIvFMCTeg5H/Zv5
OLThIghk2wU+VzzSHIVASNNiGB8aXAoZ7idiZYJCjz/fFAVyejM7JATDEkOwlUZK
MLcwpNLnM8v8MzMp9celPZtUkS1NSl9oVkFCkSpg14docB+jDdK9t6k0rGuzSqYr
L7twJg==
-----END CERTIFICATE-----