Introduction
ERR_SSL_UNRECOGNIZED_NAME_ALERT on Azure Application Gateway usually means the TLS listener or backend path does not recognize the hostname being requested. In practice this often comes from a wrong certificate binding, SNI mismatch on a multi-site listener, or a host header and probe configuration that no longer matches the certificate served for that name.
Symptoms
- Browsers fail the TLS handshake with ERR_SSL_UNRECOGNIZED_NAME_ALERT
- Only one hostname behind the Application Gateway fails while others still work
- The issue appears after adding a new listener, hostname, or certificate
- Health probes may look healthy even though browser traffic fails on the host name
Common Causes
- The listener certificate does not cover the requested hostname
- A multi-site listener does not include the correct host name or SNI path
- Backend host header rewrite sends a different name than the certificate expects
- A recently rotated certificate was not bound to the listener that serves the hostname
Step-by-Step Fix
- 1.Inspect the live certificate and hostname.
- 2.Check the Application Gateway listener and certificate binding.
- 3.Validate hostname and SNI behavior across listeners.
- 4.Retest after rebinding the correct certificate.
Prevention
- Keep one clear certificate inventory per listener and hostname
- Validate SNI and SAN coverage whenever adding a multi-site listener
- Review custom probe host headers together with TLS hostname expectations
- Re-test the public hostname immediately after certificate rotation