I applied a new web server cert to the primary site to use an alternative name (fwc-sccm) rather than the FQDN. This is because the app catalog will not passthrough credentials with the fqdn.The new cert worked just fine for that, and everything else it seemed until we tried OSD. From the failed task sequence DNS is working just fine.  the logs looks like:

<![LOG[CLibSMSMessageWinHttpTransport::Send: URL: FWC-SCCM.fws.example.com:443  GET /SMS_MP_AltAuth/.sms_aut?MPKEYINFORMATIONMEDIA]LOG]!><time="07:42:28.668+480" date="03-25-2015" component="TSMBootstrap" context="" type="1" thread="800" file="libsmsmessaging.cpp:8604">
<![LOG[In SSL, but with no client cert]LOG]!><time="07:42:28.668+480" date="03-25-2015" component="TSMBootstrap" context="" type="1" thread="800" file="libsmsmessaging.cpp:8738">
<![LOG[[TSMESSAGING] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="1" thread="800" file="libsmsmessaging.cpp:609">
<![LOG[[TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="3" thread="800" file="libsmsmessaging.cpp:610">
<![LOG[[TSMESSAGING]                : dwStatusInformationLength is 4
]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="3" thread="800" file="libsmsmessaging.cpp:611">
<![LOG[[TSMESSAGING]                : *lpvStatusInformation is 0x10
]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="3" thread="800" file="libsmsmessaging.cpp:612">
<![LOG[[TSMESSAGING]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="3" thread="800" file="libsmsmessaging.cpp:632">
<![LOG[[TSMESSAGING] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="3" thread="800" file="libsmsmessaging.cpp:642">
<![LOG[Error. Received 0x80072f8f from WinHttpSendRequest.]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="1" thread="800" file="libsmsmessaging.cpp:8870">
<![LOG[hr, HRESULT=80072f8f (e:\qfe\nts\sms\framework\osdmessaging\libsmsmessaging.cpp,8919)]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="0" thread="800" file="libsmsmessaging.cpp:8919">
<![LOG[sending with winhttp failed; 80072f8f]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="3" thread="800" file="libsmsmessaging.cpp:8919">
<![LOG[m_pHttpTransport->Send (0, 0, pServerReply, nReplySize), HRESULT=80072f8f (e:\qfe\nts\sms\framework\osdmessaging\libsmsmessaging.cpp,5159)]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="0" thread="800" file="libsmsmessaging.cpp:5159">
<![LOG[MPKeyInformation.RequestMPKeyInformationForMedia(szTrustedRootKey), HRESULT=80072f8f (e:\qfe\nts\sms\framework\osdmessaging\libsmsmessaging.cpp,9410)]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="0" thread="800" file="libsmsmessaging.cpp:9410">
<![LOG[Failed to get information for MP: https://FWC-SCCM.fws.example.com. 80072f8f.]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="3" thread="800" file="tsmbootstraputil.cpp:1518">
<![LOG[sMP.length() > 0, HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmbootstraputil.cpp,1526)]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="0" thread="800" file="tsmbootstraputil.cpp:1526">
<![LOG[TSMBootstrapUtil::SelectMP ( sSMSTSMP.c_str(), sMediaPfx.c_str(), sMediaGuid.c_str(), sAuthenticator.c_str(), sEnterpriseCert.c_str(), sServerCerts.c_str(), nHttpPort, nHttpsPort, bUseCRL, sSiteCode, sAssignedSiteCode, sMP, sCertificates, sX86UnknownMachineGUID, sX64UnknownMachineGUID), HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,907)]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="0" thread="800" file="tsmediawizardcontrol.cpp:907">
<![LOG[Exiting TSMediaWizardControl::GetPolicy.]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="0" thread="800" file="tsmediawizardcontrol.cpp:1420">
<![LOG[pWelcomePage->m_pTSMediaWizardControl->GetPolicy(), HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmediawelcomepage.cpp,303)]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="0" thread="800" file="tsmediawelcomepage.cpp:303">
<![LOG[Setting wizard error: An error occurred while retrieving policy for this computer  (0x80004005). For more information, contact your system administrator or helpdesk operator.]LOG]!><time="07:42:28.824+480" date="03-25-2015" component="TSMBootstrap" context="" type="0" thread="884" file="tsmediawizardcontrol.cpp:1589">

This may seem like common sense to others...When I generated the certificate I used:

SN=fwc-sccm.fws.example.com

DNS=fwc-sccm

Apparently I needed to add the SN to the DNS names as well. As soon as I regenerated the cert with the following everything hopped and started working almost immediately:

SN=fwc-sccm.fws.example.com

DNS=fwc-sccm

DNS-fwc-sccm.fws.example.com

I had to change the app catalog website point to 80 then back to 443 to make it come back up. Simple solution to 4 hours of banging my head yesterday.

• Marked as answer by Ed Willson 15 hours 5 minutes ago