Azure Traffic Manager SSL Setup (not classic)
I came across this same issue and was able to finally resolve the problem after applying the following Azure and DNS configurations. The piece I was missing was registering foo.mydomain.com on each of the endpoints. The unique domain must be bound before the api domain otherwise the api domain governs.
Traffic Manager Endpoints
foo1.mydomain.com
foo2.mydomain.com
Endpoint 1 App Service SSL Bindings:
foo1.mydomain.com (Must Be Added First)
foo.mydomain.com
Endpoint 2 App Service SSL Bindings:
foo2.mydomain.com (Must Be Added First)
foo.mydomain.com
mydomain.com DNS Records
CNAME Host: foo, Value: myapi.trafficmanager.net
CNAME Host: foo1, Value: endpoint1.azurewebsites.net
CNAME Host: foo2, Value: endpoint2.azurewebsites.net
The vanity domain name needs to be assigned to each endpoint app service and the certificate needs to be bound to the individual endpoints i.e., foo1 and foo2 as well as the vanity endpoint. You need to bind the certificate to the vanity domain in all app services that are going to be used as endpoints.
The DNS configuration needs to be as follows:
An A record for each app service endpoint domain, pointing to the IP address assigned by Azure for the app service.
A CNAME pointing from the vanity domain to the *.trafficmanager.net domain.
Please see https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-how-it-works
Since Traffic Manager works at the DNS level, the certificate you are seeing (*.azurewebsites.net) must be coming from the App Service, not from Traffic Manager. You need to configure your App Service to use the correct SSL certificate.
I recommend that you try to get everything working without Traffic Manager, with your vanity domain foo.mydomain.com set up as a CNAME to one of your endpoints (foo1.mydomain.com). Then switch the CNAME to point to the other endpoint (foo2.mydomain.com) and again make sure everything works. Since any issues at this point can't involve Traffic Manager, that makes them easier to debug.
Once you have that working, then re-introduce Traffic Manager into the CNAME chain.
Regards,
Jonathan Tuliani, Program Manager, Azure Networking - DNS and Traffic Manager