Why Azure Gateway can't properly bind root certificate with nginx ingress controller?

Question

I'm trying to create a solution based on Azure AKS Baseline. I have and AKS with Nginx Ingress Controller and Azure Gateway V2. I need to make a conversation between Azure Gateway V2 and Nginx Ingress controller secured, by using certificates that were generated by Azure Key Vault.

In the backend health probe I have this error:

The root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to whitelist the backend

1. 3 certificates were added to the KeyVault: root, intermediate and vl.aks-ingress.mydomain.com intermediate certificate's CSR was signed by root private key and merged to key vault. domain's CSR was signed by intermediate private key and merged to key vault.

That's how I signed intermediate and domain certificates:

$signerCertSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $SignerCertificateName
    $signerCertsecretByte = [Convert]::FromBase64String(($signerCertSecret.SecretValue | ConvertFrom-SecureString -AsPlainText))
    $signerCertPfxFilePath = New-TemporaryFile
    [System.IO.File]::WriteAllBytes($signerCertPfxFilePath, $signerCertsecretByte)


    $policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" `
        -SubjectName "CN=$Subject" `
        -IssuerName "Unknown" `
        -ValidityInMonths 60 `
        -ReuseKeyOnRenewal

    $_ = Add-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $CertificateName -CertificatePolicy $policy
    $csrTempFile = New-TemporaryFile
    $certCsr = '-----BEGIN CERTIFICATE REQUEST-----' + `
        [Environment]::NewLine + `
    (Get-AzKeyVaultCertificateOperation -VaultName $keyVaultName -Name $CertificateName).CertificateSigningRequest + `
        [Environment]::NewLine + `
        '-----END CERTIFICATE REQUEST-----'
    [System.IO.File]::WriteAllText($csrTempFile, $certCsr) 

    $signerKeyFile = New-TemporaryFile
    $signerCertFile = New-TemporaryFile

    $pass = "pass123"
    openssl pkcs12 -in $signerCertPfxFilePath -nocerts -out $signerKeyFile -passin pass: -passout pass:$pass
    openssl pkcs12 -in $signerCertPfxFilePath -clcerts -nokeys -out $signerCertFile -passin pass:

    $signedNewCert = New-TemporaryFile
    openssl x509 -req -in $csrTempFile -days 3650 -CA $signerCertFile -CAkey $signerKeyFile -CAcreateserial -out $signedNewCert -passin pass:$pass

    az keyvault certificate pending merge --vault-name $KeyVaultName --name $CertificateName --file $signedNewCert

2. After that, I've imported everything to my Windows machine and export the full chain (I didn't find any way to do it automatically via Key Vault). This full chain certificates I've added to the keyvault as a secret. Then this secret was added as secret to the AKS. To test that everything is ok with nginx ingress, I've added a Windows VM to the same network. Inside AKS I've added some super small server and requested it from browser in my VM. Browser cried that certificate is unsafe, but I got the full chain:

3. Then I've downloaded ROOT CA cer from the keyvault and added it to the gateway. My understanding is that everything should work properly after that. But I'm still getting a "root certificate wrong error".

I will appreciate any help or advice, cause I've already waste a week for that and don't have any significant progress.

Thanks in advance!