The following points provide a high-level summary of what points are to be checked. Please refer to the TechNet documentation for details.
Check that the following services and service applications exists in Central Administration:
App Management Services
Microsoft SharePoint Foundation Subscription Settings Service
App Management Service Application
Subscription Settings Service Application
User Profile Service Application
at least one profile must exist
Check DNS configuration:
Forward lookup zone is necessary for app domain
Wildcard add-in URLs must resolve to the right SharePoint server
subject alternative names are necessary as well for the app domain (Wildcard, i.e. *.<app domain>) as for the SharePoint web applications
you can check this by pinging one of your (possible) add-in URLs
e.g. "ping appcsi-1bc9e8a79b58af.app-csi-sp2016.communardo.local"
a "catch all" web application that has no explicit host name configured
Check App URL Configuration in Central Administration:
Configure correct app URL and app prefix
Sample:
Check app catalog existence and access:
create app catalog if none exists
grant permissions to app catalog (Everyone -> Read)
Remember permissions:
add-ins with site collection permissions must be added by a site collection administrator
Check HTTPS setup:
Certificate
Prepare to acquire an SSL certificate for server authentication for multiple domains (SAN certificate). It must contain the SharePoint domain(s) as well as the wildcard app domain (as mentioned above), for example:
DNS-Name=spcon-tua-sp2016.communardo.local
DNS-Name=my-tua-sp2016.communardo.local
DNS-Name=*.app-csi-sp2016.communardo.local
DNS-Name=spcon-tua-sp2016
SharePoint must run on HTTPS
Alternate Access Mappings must correctly map external URLs to HTTPS
example configuration:
pages with SharePoint Connector web parts must be accessible using the https scheme
Certificates must be valid
A wildcard certificate must be used for the add-in URLs