question

Diddy512-6008 avatar image
0 Votes"
Diddy512-6008 asked TheyssensKoen-8228 answered

Azure Application Gateway Wildcard

I want to configure an Application Gateway with multiple sites.

 x1.contoso.com
 x2.contoso.com
 x3.contoso.com
 ...

I have a wildcard certificate for *.contoso.com

I only get a single subdomain to work when I set the custom hostname in the HTTP-Settings for example to x1.contoso.com. The Listener is configured for multisite and the hostnames with *.contoso.com. They all point to the same VM (CentOS, Apache)
The backend health check says that the CN of the backend cert does not match the host header in the health probe. But even if I put *.contoso.com as custom hostname in the HTTPS-Settings, or create a custom probe, no change. I read that my wildcard could need SANs, but that would make no sense, because I would need a new cert erverytime I want to add a new subdomain right? How can I get this to work?

Maybe you can help me.
Pascal






azure-application-gateway
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Have you tried the option "Pick host name from backend target" option in your HTTP Setting? https://docs.microsoft.com/en-us/azure/application-gateway/configuration-overview

0 Votes 0 ·
Diddy512-6008 avatar image Diddy512-6008 SarojKumarPradhan-8405 ·

Thank you for your response. I tried it already, unfortunately no change.

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered MenonPradeep-9987 commented

Hello @Diddy512-6008 ,


Wildcard host names in listeners for Application Gateway v2 is currently in public preview! You can configure host names with wildcard characters (* and ?) and up to 5 host names per listener with comma separated values.


Using a wildcard character in the host name, you can match multiple host names in a single listener. For example, *.contoso.com can match with ecom.contoso.com, b2b.contoso.com as well as customer1.b2b.contoso.com and so on.


Please refer : https://docs.microsoft.com/en-us/azure/application-gateway/multiple-site-overview#wildcard-host-names-in-listener-preview


Kindly let us know if the above helps or you need further assistance on this issue.




Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Diddy512-6008 ,


Any update on this post?


If the suggested response helped you resolve your issue, please don't forget to "Accept the answer" for the benefit of other community members.



Thanks,
Gita


0 Votes 0 ·

Hello @Diddy512-6008 ,


Any update on this post?


Thanks,
Gita


0 Votes 0 ·

Hello @Diddy512-6008 ,

Just checking in to see if the above answer helped. If this answers your query, do click “Please accept as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Gita

0 Votes 0 ·

Do you know , when this will be on GA?

0 Votes 0 ·
gregorsutttie avatar image
2 Votes"
gregorsutttie answered

Do we know when this will GA?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JimM-0184 avatar image
0 Votes"
JimM-0184 answered SadafM-7272 published

I have a similar issue. I just have a single backed server in a pool - host.here.com. That server is installed with a wildcard cert which has the CN here.com. I have configured app gateway for multi site and i have tried overriding the hostname with 'host.here.com' in the http setting. But it still complains that the CN in the certificate does not match my host name.

It would be nice if app gateway had a setting to make it accept any backend server cert, regardless of mismatch.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You need wildcard SSL to use on subdomains.

0 Votes 0 ·
JimM-0184 avatar image
1 Vote"
JimM-0184 answered dcvander commented

I found the issue. Whilst the backend server was presenting the required cert, it was not presenting the full cert chain. Therefore AGW is unhappy with the cert. Once the backend server config was corrected, all came good.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JimM - I'm strangely having this same problem and was curious if you could elaborate what you did on the backend. I have a wildcard GoDaddy certificate and the HTTP Settings are using the Well Known CA option (i've tried adding the Root chain manually on the AGW but i think you are right its a backend problem) so like you i'm getting this CN validation issue. Interestingly this doesn't happen with Digicerts. How did you configure the backend to properly present the full cert chain?

0 Votes 0 ·
TheyssensKoen-8228 avatar image
0 Votes"
TheyssensKoen-8228 answered

@JimM-0184

I'm equally interested to learn what you did on your backend server config.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.