Was the error "exactly" the same before you explicitly added the exported root rather than relying on "Digicert" as known authority? Backend Nginx works just fine with https, but the application gateway https health probes fail with the message "Backend server certificate is not whitelisted with Application Gateway." What is the deal here? Azure Application Gateway with an internal APIM If the backend server response for the probe request contains the string unauthorized, it will be marked as Healthy. The protocol and destination port are inherited from the HTTP settings. To check the health of your backend pool, you can use the Azure Application Gateway: 502 error due to backend certificate not Asking for help, clarification, or responding to other answers. The exported certificate looks similar to this: If you open the exported certificate using Notepad, you see something similar to this example. Is there such a thing as "right to be heard" by the authorities? In this article I am going to talk about one most common issue backend certificate not whitelisted, If you check the backend health of the application gateway you will see the error like this The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. @EmreMARTiN , you mentioned your backend certificate is from "Digicert" which is already a well-known trusted CA. with your vendor and update the server settings with the new If your backend is within a VNET not accessible from your local, the you run openssl from a Cloud Shell within VNET. The certificate that has been uploaded to Application Gateway HTTP settings must match the root certificate of the backend server certificate. Open a command prompt (Win+R -> cmd), enter netstat, and select Enter. You'll see the Certificate Export Wizard. If there's a custom DNS server configured on the virtual network, verify that the servers can resolve public domains. This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community. To create a custom probe, follow these steps. Next hop: Internet. The reason why I try to use CA cert is that I manage all the resource in terraform, with a single CA cert, it is better to automate the process. This will take some time to track down, fix, and the docs will need to be updated with limitations & best practices. Let me know here if you face any issue reaching Azure support or if you do not have any support plan for your subscription. Currently we are seeing issues with app gateway backend going unhealthy due to backend auth cert. By default, Azure Application Gateway probes backend servers to check their health status and to check whether they're ready to serve requests. Message: The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. "Backend server certificate is not whitelisted with Application Gateway." Something that you will see missing is microsft docs is having a default site binding to a SSL certificate without the SNI enabled.