backend server certificate is not whitelisted with application gateway

You can choose to use any other tool that is convenient. If the certificate wasn't issued by a trusted CA (for example, if a self-signed certificate was used), users should upload the issuer's certificate to Application Gateway. Azure Application Gateway "502 Web Server" - Backend Certificate not The error says that Root cert is not whitelisted on the AppGW , but you might have a valid Third party certificate on the backend , and more over if you try to access the backend directly bypassing the Application Gateway you will not see any issues related to certificate in the browser. Check the backend server's health and whether the services are running. Azure Application Gateway Backend Setting Certificate error Content Discovery initiative April 13 update: Related questions using a Review our technical responses for the 2023 Developer Survey, Azure Application Gateway Probe Configuration, Azure App Gateway gives Error 404 but backend probe is healthy, Azure Application Gateway Health Probe Error, Azure Application Gateway : Backend server certificate expired. here is the sample command you need to run, from the machine that can connect to the backend server/application. The authentication certificate is the public key of backend server certificates in Base-64 encoded X.509(.CER) format. Check that the backend responds on the port used for the probe. The v2 SKU is not an option at the moment due to lack of UDR support. I can confirm that it's NOT a general issue or bug of the product. The issue was on certificate. Also, in this example, you'll use the Windows Certificate Manager tool to export the required certificates. For testing purposes, you can create a self-signed certificate but you shouldn't use it for production workloads. The error says that Root cert is not whitelisted on the AppGW , but you might have a valid Third party certificate on the backend , and more over if you try to access the backend directly bypassing the Application Gateway you will not see any issues related to certificate in the browser. Otherwise please share the message in that scenario without adding root explicitly. If you have an ExpressRoute/VPN connection to the virtual network over BGP, and if you're advertising a default route, you must make sure that the packet is routed back to the internet destination without modifying it. Learn more about Application Gateway diagnostics and logging. Backend Nginx works just fine with https, but the application gateway https health probes fail with the message "Backend server certificate is not whitelisted with Application Gateway." What is the deal here? If they aren't, create a new rule to allow the connections. "Backend server certificate is not whitelisted with Application Gateway." Something that you will see missing is microsft docs is having a default site binding to a SSL certificate without the SNI enabled. After the server starts responding To subscribe to this RSS feed, copy and paste this URL into your RSS reader. As described earlier, the default probe will be to ://127.0.0.1:/, and it considers response status codes in the range 200 through 399 as Healthy. Ensure that you add the correct root certificate to whitelist the backend. If the port mentioned is not the desired port, enter the correct port number for Application Gateway to connect to the backend server. backend server, it waits for a response from the backend server for a configured period. In this article I am going to talk about one most common issue "backend certificate not whitelisted", If you check the backend health of the application gateway you will see the error like this "The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. Trusted root certificate is required to allow backend instances in application gateway v2 SKU. Configure that certificate on your backend server. b. The certificate that has been uploaded to Application Gateway HTTP settings must match the root certificate of the backend server certificate. d. Otherwise, change the next hop to Internet, select Save, and verify the backend health. You should do this only if the backend has cert which is issued by internal CA, I hope we are clear till now on why we import Authenticate cert in the HTTP settings of the AppGW and when we use the option "Use Well Known CA", But the actual problem arises if you are using a Third party Cert or Internal CA Cert which has Intermediate CA and then Leaf certificate, Most of the orgs for security reasons use Root Cert----> Intermediate Cert ------> Leaf Cert , even Microsoft follows the same for bing , check the screenshot below, Now lets discuss what exactly is the confusion here if we have multiple Chain Cert, When you have single chain certificate , then there will be no confusion with appgw , if your root CA is Global trusted just select "Use Trusted Root CA" option in HTTPsettings, If you root CA is Internal CA , then import that Top root cert in .cer format and upload it in the HTTP settings. Check whetheraccess to the path is allowed on the backend server. If Pick hostname from backend address is set in the HTTP settings, the backend address pool must contain a valid FQDN. thank you for sharing it . Was the error "exactly" the same before you explicitly added the exported root rather than relying on "Digicert" as known authority? Sign in For File name, name the certificate file. I will clean-up some of my older comments to keep it generic to all since the issue has been identified. However when I replace all the 3 certificates to my CA cert, it goes red and warm me "Backend server certificate is not whitelisted with Application Gateway" The reason why I try to use CA . b. Do not edit this section. c. If the next hop is virtual network gateway, there might be a default route advertised over ExpressRoute or VPN. to your account. For File to Export, Browse to the location to which you want to export the certificate. Check the backend server's health and whether the services are running. Find centralized, trusted content and collaborate around the technologies you use most. Configure that certificate on your backend server. An existing backend certificate is required to generate the authentication certificates or trusted root certificates required for allowing backend instances with Application Gateway. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. with open ssl i should run the command on from local server ? Every documentation page has a feedback section at the bottom. By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. Issue within certification chain using azure application gateway The HTTP setting of the gateway is configured as follow: I've provided, hopefully, the correct root certificate for the setting. To learn more visit - https://aka.ms/UnknownBackendHealth. Now Clients will check the Server certificate and confirm if the certificate is issued by Trusted root or not. Let me know here if you face any issue reaching Azure support or if you do not have any support plan for your subscription. The section in blue contains the information that is uploaded to application gateway. More info about Internet Explorer and Microsoft Edge, https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting, https://learn.microsoft.com/en-us/azure/application-gateway/certificates-for-backend-authentication#export-trusted-root-certificate-for-v2-sku, https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#end-to-end-tls-with-the-v2-sku. Required fields are marked *. Message: The backend health status could not be retrieved. I did not find this error message listed here https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting. But when we have multiple chain certificate and your backend application is sending the Application Gateway only the leaf the certificate , AppGW will not be able to trust the cert up to the top level domain root. Otherwise, it will be marked as Unhealthy with this message. If you open your certificate with Notepad and it doesn't look similar to this, typically this means you didn't export it using the Base-64 encoded X.509(.CER) format. Azure Application Gateway: 502 error due to backend certificate not When I use v2 SKU with the option to trust the backend certificate from APIM it works. multiple chain certificate and if your backend application/server sends only the leaf the certificate , AppGW . Sorry my bad, this is actually now working - I just needed to have the CN in the certificate match with what was set in backend pool. Also, please let me know your ticket number so that I can track it internally. Server will send its Certificate and because AppGW will already have its Root Cert, it verifies the backend server certificate and finds that it was issued by the Root cert which it is Trusting and they it starts connecting on HTTPs further for probing. Service:<---> By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. By clicking Sign up for GitHub, you agree to our terms of service and The text was updated successfully, but these errors were encountered: @sajithvasu I am not aware of any changes that have been made on the App Gateway side that would make this not work. (LogOut/ To Answer we need to understand what happens in any SSL/TLS negotiation. More info about Internet Explorer and Microsoft Edge, Export trusted root certificate (for v2 SKU), Overview of TLS termination and end to end TLS with Application Gateway, Application Gateway diagnostics and logging. Which was the first Sci-Fi story to predict obnoxious "robo calls"? I just set it up and cannot get the health probe for HTTPS healthy. Ensure that you add the correct root certificate to whitelist the backend". f. Select Save and verify that you can view the backend as Healthy. Change). of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. If you don't mind can you please post the summary of the root here to help people who might face similar issue. Message: Backend certificate is invalid. Allow the backend on the Application Gateway by uploading the root certificate of the server certificate used by the backend. To verify, you can use OpenSSL commands from any client and connect to the backend server by using the configured settings in the Application Gateway probe. After CA autohority re-created the certificate problem was gone. Default route advertised by the ExpressRoute/VPN connection to the virtual network over BGP: a. Check the network security group (NSG) settings of the backend server's network adapter and subnet and whether inbound connections to the configured port are allowed. Content: <---> On the Application Gateway Overview tab, select the Virtual Network/Subnet link. For the server certificate to be trusted we need the Root certificate in Trusted Root Cert Store , usually if you are having certs issued by Godaddy,Digicert,Vergion like Third party Vendors you dont have to do anything because they are automatically trusted by your client/browser. Server will send its Certificate and because AppGW will already have its Root Cert, it verifies the backend server certificate and finds that it was issued by the Root cert which it is Trusting and they it starts connecting on HTTPs further for probing. i have configured a Azure Application gateway (v2) and there is one backend servers. The certificate added to Backend HTTP Setting to authenticate the backend servers can be the same as the certificate added to the listener for TLS termination at application gateway or different for enhanced security. @sajithvasu I would continue to work with the support engineers while they look deeper into your authentication certificate. Select the root certificate and then select, In the Certificate properties, select the, Verify the CN of the certificate from the details and enter the same in the host name field of the custom probe or in the HTTP settings (if. The application gateway then tries to connect to the server on the TCP port mentioned in the HTTP settings. Most of the best practice documentation involves the V2 SKU and not the V1. In this example, you'll use a TLS/SSL certificate for the backend certificate and export its public key to be used as . For example: c. If it's not listening on the configured port, check your web server settings. c. Check to see if there are any default routes (0.0.0.0/0) with the next hop not set as Internet. This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community. You signed in with another tab or window. If you see an Unhealthy or Degraded state, contact support. To find out the reason, check OpenSSL diagnostics for the message associated with error code {errorCode}. For example: Solution: To resolve this issue, verify that the certificate on your server was created properly. https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#end-to-end-tls-with-the-v2-sku. Solution: If you receive this error, follow these steps: Check whether you can connect to the backend server on the port mentioned in the HTTP settings by using a browser or PowerShell. Ensure that you add the correct root certificate to whitelist the backend. Azure Application Gateway: 502 error due to backend certificate not . In this article I am going to talk about one most common issue backend certificate not whitelisted, If you check the backend health of the application gateway you will see the error like this The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. Cause: After the TCP connection has been established and a TLS handshake is done (if TLS is enabled), Application Gateway will send the probe as an HTTP GET request to the backend server. To verify, you can use OpenSSL commands from any client and connect to the backend server by using the configured settings in the Application Gateway probe. This causes SSL/TLS negoatiation failure and AppGW marks the backend as unhealthy because it is not able to initiate the probe. here is what happens in in Multiple chain certificate. Fast-forward 2022, we are also faced with the same issue and getting the same error "Backend server certificate is not whitelisted with Application Gateway" using Application Gateway v1. i raised ticket to Microsoft. The status retrieved by any of these methods can be any one of the following states: If the backend health status for a server is healthy, it means that Application Gateway will forward the requests to that server.