Application Gateway Probe gives false negative

Jan Vávra 231 Reputation points
2022-06-20T14:03:16.97+00:00

After defined the probes at App Gateway with SKU Standard V2 I've got:

The Common Name (CN) of the backend server certificate does not match the host header entered in the health probe configuration (v2 SKU) or the FQDN in the backend pool (v1 SKU). Verify if the hostname matches with the CN of the backend server certificate

But If I have looked at IIS log at backend servers I could see

Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken

2022-06-20 13:52:12 10.0.0.4 GET /status.php - 443 - 10.0.1.5 - - - agw.mydomain.cz 200 0 0 423
2022-06-20 13:52:12 10.0.0.4 GET /status.php - 443 - 10.0.1.7 - - - agw.mydomain.cz 200 0 0 409

At the frontend user side everything works and in the iis log I can see a row with filled in user agent (Edge)
2022-06-20 13:52:09 10.0.0.4 GET /whoami.php - 443 - 10.0.1.5 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/102.0.5005.124+Safari/537.36+Edg/102.0.1245.44 ApplicationGatewayAffinityCORS=1f2ecc2258faf740ac14c6b38debac38;+ApplicationGatewayAffinity=1f2ecc2258faf740ac14c6b38debac38 https://agw.mydomain.cz/whoami.php agw.mydomain.cz 200 0 0 399

I've also tried from backend servers with IPs 10.0.0.4, 10.0.0.5 do an openssl check:
openssl s_client -connect 10.0.0.5:443 -tls1_2 -servername agw.mydomain.cz -showcerts
and from 2 to 1
openssl s_client -connect 10.0.0.4:443 -tls1_2 -servername agw.mydomain.cz -showcerts

And got the proper certificate.

I think this is a bug.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
937 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Tchimwa Sougang 931 Reputation points Microsoft Employee
    2022-06-20T17:56:31.187+00:00

    @Jan Vávra Thank you for your question, please can you share a screenshot of your backend pool, HTTPS Settings and probe configuration with us?

    0 comments No comments

  2. Lynn Niu 236 Reputation points
    2022-06-21T09:31:34.297+00:00

    If you use custom certificate, do you upload your ca certificate to backend settings?


  3. Jan Vávra 231 Reputation points
    2022-06-21T13:44:24.4+00:00

    Hello, probes test result is:

    213340-obrazek.png

    Probe configuration is (mydomain is n real .602.cz, I've changed my first post):

    213451-obrazek.png

    Http settings is as follows. myHTTPSetting7d6847c9-93aa-43c1-925c-03915290907b represents our authority Software602 Root CA, see attached list.json as a result of:
    az network application-gateway list -g agwrg > list.json
    I wasn't allowed to upload this file, so I've placed it at https://cloud.602.cz/index.php/s/r6aoAXefWXXqSEy

    213386-obrazek.png
    213461-obrazek.png

    backend pool is

    213471-obrazek.png

    0 comments No comments

  4. Tchimwa Sougang 931 Reputation points Microsoft Employee
    2022-06-21T17:24:06.413+00:00

    Okay from the probes, we are clearly see that you're using agw.602.cz as hostname for the probe. Please can you confirm what is the Common Name on the certfificate installed on your backend servers? If it is different than agw.602.cz, it is normal that you are having this error.

    0 comments No comments

  5. Jan Vávra 231 Reputation points
    2022-06-22T10:31:14.807+00:00

    The certicate on backend server is

    openssl s_client -connect 10.0.0.4:443 -servername agw.602.cz -showcerts

    -----BEGIN CERTIFICATE-----
    MIIGYDCCBEigAwIBAgICWgwwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNVBAYTAkNa
    MRcwFQYDVQQIEw5DemVjaCBSZXB1YmxpYzEnMCUGA1UEBxQeSG9ybm9rcmNza2Eg
    MTU7IDE0MCAwMCBQcmFoYSA0MScwJQYDVQQKFB5Tb2Z0d2FyZTYwMiBhLnMuIFtJ
    QyA2MzA3ODIzNl0xHDAaBgNVBAMTE1NvZnR3YXJlNjAyIFJvb3QgQ0EwHhcNMjIw
    NjIwMTAzOTA0WhcNMjMwNjIwMTAzOTA0WjA+MQswCQYDVQQGEwJDWjEaMBgGA1UE
    CAwRxIxlc2vDoSByZXB1Ymxpa2ExEzARBgNVBAMMCmFndy42MDIuY3owggEiMA0G
    CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCb7B4maNoQ/j2usr/YFdF7kt3K/CI2
    AIUUAcjibAMNETdD37YoDsV/Ynqwe3DhBunjjHB504YbwNJkq0P9BuxdZ+wXeMIg
    kT/sgzp0OZVDqpBgQyKFMzqAtMy9wef28JWt7gWJEapbpLq0IrgnkmIj/jQqepkK
    soH81v1ap9ahvyuyLuCzmWL4XEPd3WkiCISw/6We78pw4EX2iKYQChBznsqWmvo8
    fCi0Fdashrql/xL4Wj1MBD9IzNNt/TvkZC/eOfP9WOErdf/GYFYSneBOFIq766tY
    4Ao7qDwiRbktpvL7SZyfQuE/fjhE81OC1fagY0WYB7J8lNoTh/Nie9/RAgMBAAGj
    ggINMIICCTCBywYDVR0jBIHDMIHAgBTMS8k0Um/V/SYot+e4KQ4iOxW2EKGBnKSB
    mTCBljELMAkGA1UEBhMCQ1oxFzAVBgNVBAgTDkN6ZWNoIFJlcHVibGljMScwJQYD
    VQQHFB5Ib3Jub2tyY3NrYSAxNTsgMTQwIDAwIFByYWhhIDQxJzAlBgNVBAoUHlNv
    ZnR3YXJlNjAyIGEucy4gW0lDIDYzMDc4MjM2XTEcMBoGA1UEAxMTU29mdHdhcmU2
    MDIgUm9vdCBDQYIJAPOGts1i7uL3MB0GA1UdDgQWBBR2X6SizjMeOJJ1+x0FM0Nn
    x2vrgTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DB6BggrBgEFBQcBAQRu
    MGwwMAYIKwYBBQUHMAKGJGh0dHA6Ly9jYS42MDIuY3ovY3J0L3N3NjAycm9vdGNh
    LmNydDA4BggrBgEFBQcwAoYsaHR0cDovL2NhLnNvZnR3YXJlNjAyLmN6L2NydC9z
    dzYwMnJvb3RjYS5jcnQwaQYDVR0fBGIwYDAqoCigJoYkaHR0cDovL2NhLjYwMi5j
    ei9jcmwvc3c2MDJyb290Y2EuY3JsMDKgMKAuhixodHRwOi8vY2Euc29mdHdhcmU2
    MDIuY3ovY3JsL3N3NjAycm9vdGNhLmNybDAVBgNVHREEDjAMggphZ3cuNjAyLmN6
    MA0GCSqGSIb3DQEBCwUAA4ICAQB1TfD/l6e8orwkuJRDJtuSnzI7+adb3TKk7GWP
    gOKJ6atm/KfVFuDAqntEJqVXDxjh/eCChr5GGldSwd9/BQRNhUOlGi2JdWS4jjet
    I1hX6lpB0+1vC7a8x3X6FINvYie63CeO22rO46d0sN5bWC2Do3qymbhxlLkui2zS
    xhtal15awLQ1ROH/JyuDUVM5UQ+FgGNzmmJzwe9NmVlKojL6ANlDOidbTV6WAjKT
    weryilZ5SwreNjw936ZEZE0Xa4Nb2+msf/fT4E4/QKtGyxBrBp/trFy6j/pRw1Mh
    StWQAtKzVtxcVOcBVDSLSlSdP6w+bOxjSLJbMnWal5dXs2BSwxYZ+Ops9RBAT0wX
    De0lXG39KZxy1vU77vVM+OmyB5qkgnIz7nfgWl3dUUDw7Znk5kLLhdACnlajHAGG
    YZzkiUsG5mkaXb2ipxQNHf8Z/Tti2k1sBV3wu/9sBd4mAHkJPvbQOcUpkLZ3LLx/
    7pA59QoO926jWhhnfvZiXnhPSV+xOVHy+5FnvyxLpmDRydXKUGIvFMCTeg5H/Zv5
    OLThIghk2wU+VzzSHIVASNNiGB8aXAoZ7idiZYJCjz/fFAVyejM7JATDEkOwlUZK
    MLcwpNLnM8v8MzMp9celPZtUkS1NSl9oVkFCkSpg14docB+jDdK9t6k0rGuzSqYr
    L7twJg==
    -----END CERTIFICATE-----

    213813-obrazek.png
    213863-obrazek.png

    0 comments No comments