Ping with "Verify SSL" fails for custom Azure SSL

Hi,

When setting the “Verify SSL” option in APM Availability Monitoring for an Azure Website with a custom domain name and SSL binding, a false downtime is reported because New Relic is trying the verify the default Azure SSL, not my custom SSL binding:

I get the following error:

… currently down SSL Error, Host api.mydomain.com not found in certificate (*.azurewebsites.net, *.azurewebsites.net, *.scm.azurewebsites.net, *.azure-mobile.net, *.scm.azure-mobile.net)

The CNAME and SSL are correctly configured on Azure as opening the page with a browser finds the correct SSL.

Permilink to New Relic alert: https://rpm.newrelic.com/accounts/1042167/applications/8421227/downtime/16247645

  1. Why is APM not recognizing my custom SSL binding when ping is using the CNAME?
  2. Is Synthetics Ping Monitor affected by the same issue?

Thanks,

Dominic.

Hey @dstj,

I took a glance at the URL used in the availability monitoring settings and running a check in SSL labs seems to indicate that the site uses SNI which our availability monitor doesn’t quite support. This would explain the error you are seeing in the downtime events.

The nice thing, and something that will address your 2nd point, is that Synthetics Ping monitors do support SNI sites and should give you a more accurate representation of the availability of your site. I went ahead and tested this out and with the verify ssl setting the checks are coming back successfully without any issue. One thing I did notice is that you may need to select the “Bypass HEAD request” setting as well. Doesn’t seem that HEAD is accepted on the site and shows up as a 404 on the success results (GET results in a 200) which may be a bit confusing.

I just reconfigured our Main application from APM to Synthetics. The site was moved to azure just recently, and we encountered the same issue as the OP.

I did not have to check the ‘Bypass HEAD request’, it works without any visible issue. Perhaps because our site requires authentication and the HEAD request returns a 302 towards to login page.

@avantida Availability monitoring does not support SNI, which Azure uses. I would suggest using the Synthetics ping monitors to check your uptime going forward.