Azure Application Gateway – The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway.

If you see the problem with this error using Azure Application Gateway v2:

The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to whitelist the backend

Just check if your backend web server does not issue a single-level certificate. If not you can check the following (if so read to the end):

Just create another listener that use e.g. 80 port – it will not be used – just we need to delete everything that it is connected with existing 443 listeners, including Health Checks and Rules. You can also delete the Application Gateway and create a new one that uses only 80/http protocol.

Run the following script:

Connect-AzAccount
$appgwName=”mariuszcert-appgateway”
$resgpName=”MariusCertTest”
$certName=”RootPrivateCert”
$gw = Get-AzApplicationGateway -Name $appgwName -ResourceGroupName $resgpName
$gw = Add-AzApplicationGatewayTrustedRootCertificate -ApplicationGateway $gw -Name $certName -CertificateFile “c:\ privatecer.cer”
$gw = Add-AzApplicationGatewayBackendHttpSettings -ApplicationGateway $gw -Name “dwa” -Port 443 -Protocol Https -CookieBasedAffinity Enabled -PickHostNameFromBackendAddress -TrustedRootCertificate $gw.TrustedRootCertificates[0]
$gw = Set-AzApplicationGateway -ApplicationGateway $gw

Now you can add Listener and rules, similar to this one:

Add Rules for https (443):

And after that, you can delete rules and listeners connected with 80 port.

If you still see the error – the final solution is to create Application Gateway Ver1 (Standard). Just because it will not need root certificates, so it can work with one level certificates.