Hello, working on exposing am internal load balancer through an app gw v2. My listener continues to default to the wrong certificate, so when I open the host name on the browser it depicts the wrong certificate.

EDWARD REYESARROYO 25

-Double check settings as in hostname, correct wildcard attached to our listener.

-Error: The Common Name of the leaf certificate presented by the backend server does not match the Probe or Backend Setting hostname of the application gateway.

-When attempting to open the site shows insecure and the certificate information points to out gitlab solution versus the desired load balancer....

Please advice if I should add more details.

EDWARD REYESARROYO 25 Reputation points

2024-07-18T15:29:05.1666667+00:00

Ill try right now thank you for the quick reply.
KapilAnanth-MSFT 45,366 Reputation points Microsoft Employee

2024-07-22T09:42:39.9666667+00:00

@EDWARD REYESARROYO , sure.

Please keep us posted on how this goes
KapilAnanth-MSFT 45,366 Reputation points Microsoft Employee

2024-10-04T04:40:42.0333333+00:00

@EDWARD REYESARROYO ,

Glad to know the issue has been resolved.

I shall summarize our discussion and post it as an answer.

I would greatly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil

1 answer

KapilAnanth-MSFT 45,366 Reputation points Microsoft Employee

2024-07-18T08:39:33.1833333+00:00
@EDWARD REYESARROYO ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your verbatim, you are trying to add an ILB as the backend of an App gateway and this appears to be a new setup altogether.

If you bypass the Application Gateway, and directly access the ILB from a VM, does this work?

Do you use any domain on the ILB or just access it like https://<PrivateIpOfILB>:443 ?

What is the hostname you are configuring in the Application Gateway BackendHTTPSettings ?

If you are using a custom Probe, what are the values used ?

Cheers,

Kapil
Please sign in to rate this answer.
EDWARD REYESARROYO 25 Reputation points

2024-07-18T12:59:47.5566667+00:00

Thank you for reaching back,

-Currently exposure is facilitated by a third party solution,
third-party solution-->ILB-->Scale set (using our wildcard)
(We are trying to phase out and go more native) (when opening the site on a browser it defaults to another cert....) trying for: APP GW -->ILB-->Scale Set
-The back end target is 10.xx.xx.xx, so private IP

on backend settings the hostname is xxx.xxx.net which is the same used in the third part solution....
-Attempted the probe approach, but got the same error.

KapilAnanth-MSFT 45,366 Reputation points Microsoft Employee

2024-07-18T13:44:27.3033333+00:00

@EDWARD REYESARROYO ,

If the hostname is set up as "xxx.xxx.net", then the backend should present the appropriate certificate with the CN "xxx.xxx.net".

As you mentioned, In case we are to manually select the certificate or a different certificate is presented,

App gateway will not be able to identify the correct certificate.

The backend should respond with the appropriate certificate based on the host name.

In case you do not have direct access to the backend to check from a VM,

You can consider using default probe which would send "https://127.0.0.1:443/"

In this case, the backend should be capable of serving request when the host is "127.0.0.1"

For more info, see : Backend TLS connection For probe traffic

Also see : Common Name (CN) doesn't match

Cheers,

Kapil

EDWARD REYESARROYO 25 Reputation points

2024-10-03T20:05:13.8666667+00:00

End up using a listener to 127.0.0.1, its always the last thing we try before it works.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Hello, working on exposing am internal load balancer through an app gw v2. My listener continues to default to the wrong certificate, so when I open the host name on the browser it depicts the wrong certificate.

1 answer

Your answer