# Fix Azure Application Gateway SSL Error

You're accessing your Azure Application Gateway and getting ERR_SSL_UNRECOGNIZED_NAME_ALERT or similar SSL errors. The browser can't establish a secure connection.

Introduction

bash
ERR_SSL_UNRECOGNIZED_NAME_ALERT

This error means the Application Gateway doesn't have a valid SSL certificate for the hostname you're requesting. The SNI (Server Name Indication) doesn't match any configured certificate.

Symptoms

  • ERR_SSL_UNRECOGNIZED_NAME_ALERT in browser
  • SSL certificate mismatch errors
  • HTTPS connection failures
  • Browser security warnings

Common error messages:

bash
ERR_SSL_UNRECOGNIZED_NAME_ALERT
ERR_SSL_CERTIFICATE_INVALID
NET::ERR_CERT_AUTHORITY_INVALID

Common Causes

  • No SSL certificate configured for hostname
  • Certificate hostname mismatch
  • Expired SSL certificate
  • Self-signed certificate not trusted
  • Missing or misconfigured HTTPS listener

Step-by-Step Fix

Check Application Gateway status:

```bash # Get Application Gateway az network application-gateway show \ --name my-appgw \ --resource-group my-rg \ --query '{provisioningState: provisioningState, operationalState: operationalState}'

# List listeners az network application-gateway http-listener list \ --gateway-name my-appgw \ --resource-group my-rg

# List SSL certificates az network application-gateway ssl-cert list \ --gateway-name my-appgw \ --resource-group my-rg ```

Test SSL connectivity:

```bash # Test SSL connection openssl s_client -connect my-appgw.azurewebsites.net:443 -servername mydomain.com

# Check certificate echo | openssl s_client -connect my-appgw.azurewebsites.net:443 -servername mydomain.com 2>/dev/null | openssl x509 -noout -text

# Test with curl curl -vI https://mydomain.com ```

Common Causes and Solutions

Cause 1: Missing SSL Certificate

bash
# Error: No certificate for hostname

Solution:

```bash # Upload SSL certificate az network application-gateway ssl-cert create \ --gateway-name my-appgw \ --resource-group my-rg \ --name mydomain-cert \ --cert-file mydomain.pfx \ --cert-password MyPassword123

# Or use Key Vault certificate az network application-gateway ssl-cert create \ --gateway-name my-appgw \ --resource-group my-rg \ --name mydomain-cert \ --key-vault-secret-id https://myvault.vault.azure.net/secrets/mycert ```

Cause 2: Listener Not Configured for HTTPS

bash
# Error: HTTP listener, no HTTPS

Solution:

```bash # Create HTTPS listener az network application-gateway http-listener create \ --gateway-name my-appgw \ --resource-group my-rg \ --name my-https-listener \ --frontend-port 443 \ --ssl-cert mydomain-cert \ --host-name mydomain.com

# Create frontend port for HTTPS az network application-gateway frontend-port create \ --gateway-name my-appgw \ --resource-group my-rg \ --name https-port \ --port 443 ```

Cause 3: SNI Mismatch

bash
# Error: Certificate doesn't match hostname

Solution:

```bash # Check certificate hostnames az network application-gateway ssl-cert show \ --gateway-name my-appgw \ --resource-group my-rg \ --name mydomain-cert

# Update listener with correct hostname az network application-gateway http-listener update \ --gateway-name my-appgw \ --resource-group my-rg \ --name my-https-listener \ --host-name mydomain.com

# For multiple hostnames, create multiple listeners az network application-gateway http-listener create \ --gateway-name my-appgw \ --resource-group my-rg \ --name www-listener \ --frontend-port 443 \ --ssl-cert mydomain-cert \ --host-name www.mydomain.com ```

Cause 4: Multi-site Listener Issues

bash
# Error: Wrong site served

Solution:

```bash # Create multi-site listeners az network application-gateway http-listener create \ --gateway-name my-appgw \ --resource-group my-rg \ --name site1-listener \ --frontend-port 443 \ --ssl-cert site1-cert \ --host-name site1.com

az network application-gateway http-listener create \ --gateway-name my-appgw \ --resource-group my-rg \ --name site2-listener \ --frontend-port 443 \ --ssl-cert site2-cert \ --host-name site2.com ```

Cause 5: Wildcard Certificate Issues

bash
# Error: Wildcard cert not matching

Solution:

```bash # Wildcard certificates work for *.domain.com # For subdomain.example.com, use *.example.com cert

# Verify certificate covers hostname openssl x509 -in cert.pem -text -noout | grep -A1 "Subject Alternative Name"

# Create listener with wildcard cert az network application-gateway http-listener create \ --gateway-name my-appgw \ --resource-group my-rg \ --name wildcard-listener \ --frontend-port 443 \ --ssl-cert wildcard-cert \ --host-names sub1.example.com sub2.example.com ```

Cause 6: Backend HTTPS Configuration

bash
# Error: Backend connection issues

Solution:

```bash # Configure backend HTTP settings for HTTPS az network application-gateway http-settings create \ --gateway-name my-appgw \ --resource-group my-rg \ --name https-settings \ --port 443 \ --protocol Https \ --cookie-based-affinity Disabled

# With backend authentication certificate az network application-gateway auth-cert create \ --gateway-name my-appgw \ --resource-group my-rg \ --name backend-cert \ --cert-file backend.pem

az network application-gateway http-settings update \ --gateway-name my-appgw \ --resource-group my-rg \ --name https-settings \ --auth-certs backend-cert ```

Cause 7: DNS Not Pointing to Application Gateway

bash
# Error: Certificate valid but wrong server

Solution:

```bash # Check DNS points to Application Gateway nslookup mydomain.com

# Get Application Gateway public IP az network public-ip show \ --name my-appgw-pip \ --resource-group my-rg \ --query ipAddress

# Update DNS record to point to Application Gateway IP ```

Complete Application Gateway Configuration

Terraform Example

```hcl # Public IP resource "azurerm_public_ip" "appgw" { name = "appgw-pip" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location allocation_method = "Static" sku = "Standard" }

# Application Gateway resource "azurerm_application_gateway" "main" { name = "my-appgw" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location

sku { name = "Standard_v2" tier = "Standard_v2" capacity = 2 }

gateway_ip_configuration { name = "appgw-ip-config" subnet_id = azurerm_subnet.appgw.id }

frontend_port { name = "http-port" port = 80 }

frontend_port { name = "https-port" port = 443 }

frontend_ip_configuration { name = "appgw-frontend" public_ip_address_id = azurerm_public_ip.appgw.id }

ssl_certificate { name = "mydomain-cert" data = filebase64("mydomain.pfx") password = "MyPassword123" }

http_listener { name = "https-listener" frontend_ip_configuration_name = "appgw-frontend" frontend_port_name = "https-port" protocol = "Https" ssl_certificate_name = "mydomain-cert" host_name = "mydomain.com" }

backend_address_pool { name = "backend-pool" fqdns = ["backend.example.com"] }

backend_http_settings { name = "http-settings" cookie_based_affinity = "Disabled" port = 80 protocol = "Http" request_timeout = 60 }

request_routing_rule { name = "https-rule" rule_type = "Basic" http_listener_name = "https-listener" backend_address_pool_name = "backend-pool" backend_http_settings_name = "http-settings" } } ```

Verification

```bash # Test SSL openssl s_client -connect mydomain.com:443 -servername mydomain.com

# Check certificate details echo | openssl s_client -connect mydomain.com:443 -servername mydomain.com 2>/dev/null | openssl x509 -noout -dates

# Test HTTPS curl -vI https://mydomain.com

# Check Application Gateway health az network application-gateway show-health \ --gateway-name my-appgw \ --resource-group my-rg

# View backend health az network application-gateway show-backend-health \ --gateway-name my-appgw \ --resource-group my-rg ```

Prevention

  1. 1.[ ] SSL certificate uploaded to Application Gateway
  2. 2.[ ] HTTPS listener configured with certificate
  3. 3.[ ] Hostname matches certificate CN/SAN
  4. 4.[ ] DNS points to Application Gateway IP
  5. 5.[ ] Frontend port 443 configured
  6. 6.[ ] Request routing rule connects listener to backend
  7. 7.[ ] Backend pool has correct targets
  8. 8.[ ] Backend HTTP settings correct (HTTP/HTTPS)
  9. 9.[ ] Firewall allows port 443
  10. 10.[ ] Certificate not expired
  11. 11.## Common Causes
  • Configuration misconfiguration
  • Missing or incorrect credentials
  • Network connectivity issues
  • Version compatibility problems
  • Resource exhaustion or limits
  • Permission or access denied

Related Articles

  • [Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
  • [Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
  • [Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
  • [Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
  • [Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure Application Gateway SSL Error", "description": "Step-by-step guide to fix Azure Application Gateway SSL errors. Resolve ERR_SSL_UNRECOGNIZED_NAME_ALERT, configure certificates, and fix HTTPS issues.", "url": "https://www.fixwikihub.com/fix-azure-application-gateway-ssl-error", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-27T10:24:00.000Z", "dateModified": "2026-04-27T10:24:00.000Z" } </script>