Hello,
I am trying to connect to a on-premise app via the Azure AD Application Proxy. In browser I have this error:
Below is the error from the connector logs:
The SSL server certificate presented to Microsoft AAD Application Proxy Connector by the backend server is not valid; the certificate is not trusted.
Details:
Transaction ID: {c971facf-4b32-8449-36b7a9bb4699}
Session ID: {c971facf-0839-4b32-36b7a9bb4699}
Published Application Name:
Published Application ID:
Published Application External URL: https://ab.domain.com
Published Backend URL: https://ab1.domain.com/
User: someone@domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Device ID: <Not Applicable>
Token State: NotFound
Cookie State: NotFound
Client Request URL: https://ab.domain.com/
Backend Request URL: https://ab1.domain.com/
Preauthentication Flow: PassThrough
Backend Server Authentication Mode: PassThrough
State Machine State: BERequestWriting
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: GET
Client Request Http Verb: GET
The certificate installed on the backend server ( nginx with Comodo Multi-Domain + Wildcard SAN certificate ) is valid and has the SANs declared as specified in https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-configure-custom-domain ( Certificate formats section )
Subject Name
Common Name domain.com
DNS NAME domain.com
DNS NAME **.ab.domain.com*
DNS NAME ab.domain.com
App Proxy Config:
On the Connector machine, a DNS record in hosts file points the Application Internal URL to the public IP of the application. There are no connectivity issues between the connector and the backend server.
If I access directly (bypass AzureAppProxy) the backend server there are no SSL certificate errors in browser. The nginx server has the private key used to generate the CSR and the PEM (chain) keys configured.
The pfx certificate uploaded in Azure AD App Proxy was generated with openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.pem
I am not sure if there is actually an issue with the certificate or a misconfiguration on the nginx server.
Any tips on how to investigate this further are welcome.
Thank you



