• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 914
  • Last Modified:

Expired SSL Cert in SBS 2003 or is it?

ExBPA says my SSL certificate is expired for https://domain.com on SBS 2003. Valid certificate in place for www.domain.com which expires in 2011. www.domain.com is hosted by isp. clues?
0
2170059
Asked:
2170059
  • 10
  • 9
1 Solution
 
SembeeCommented:
https://domain.com and https://www.domain.com are two different hosts.
EXBPA will be referring to an SSL certificate stored on the local server.

Simon.
0
 
2170059Author Commented:
I realize they are different hosts. there is just the pdc for sbs2003. so how do i reconcile the 2? 2 certificates?
0
 
SembeeCommented:
The installation of SBS puts a self signed SSL certificate in by default. That is probably what EXBPA is detecting. Look in IIS Manager on the server and see what the certificate there says.

Simon.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
2170059Author Commented:
The one in IIS is www.domain.com, the one from Best Practices is https://domain.com
0
 
SembeeCommented:
Best practises only looks to machines with Exchange installed on them. As you have SBS you only have one server. The only thing I can suggest is to remove that certificate and run the tool again.

Simon.
0
 
2170059Author Commented:
I have removed the www.domain.com SSL certiificate via IIS and run the tool, but it still says https://domain.com certificate is expired as of 8/15/2005. Don't know where to remove that certificate or where to recreate a new one.
0
 
SembeeCommented:
If you ping domain.com - what server responds?
Can you browse to https://domain.com ?

Simon.
0
 
2170059Author Commented:
I can browse to https but get a blank page. when i ping www.domain.com i get isp server that provides dns.
0
 
SembeeCommented:
You pinged the wrong thing.
Ping domain.com - not www.domain.com

Simon.
0
 
2170059Author Commented:
interesting. pings the Starband the isp we have broadband service from not the isp that does dns service.
0
 
SembeeCommented:
Do you have a zone for domain.com in your DNS server?

Simon.
0
 
2170059Author Commented:
no and this is beginning to feel like therapy. this sbs 2003 server was set up as domain.local because at the time it could not contact domain.com. from what i've found, the server must be completely reinstalled to change that. in my forward lookup zones there are only domain.local and _msdcs.domain.local. i intend to do a complete reinstall sometime soon but wanted to solve the original problem anyway.
0
 
SembeeCommented:
You have misunderstood my question.

You have can have zones in your DNS server for domains other than the domain that you are using for active directory.

A very common configuration is to have domain.local as the AD domain, then have a second zone for domain.com so that you can use the same names externally as internally. It is known as split dns and is something that I deploy on most sites that I work with.

SBS likes to install the domain as domain.local and tends to complain if you do anything else. With SBS the trick for a successful deployment is to do everything that the wizard wants you to - don't fight it and the server will operate fine.

What I am trying to work out is why the EXBPA tool is connecting to that web site.

Simon.
0
 
2170059Author Commented:
Well the only zones listed are the ones I mentioned previously. No domain.com zone. Should I create one via New Zone?
0
 
SembeeCommented:
You don't need to create one. The reason I asked was in an attempt to see where EXBPA is getting that SSL certificate from.

What does the server announce itself as?
To check, go in to ESM, Servers, <your server>, Protocols, SMTP. Right click on SMTP and choose Properties. Click on the last tab "Delivery" and then Advanced. What does it say in the box labelled FQDN?

Simon.
0
 
2170059Author Commented:
it's domain.com
0
 
SembeeCommented:
That may explain it.

domain.com isn't a valid hostname for SMTP MX mail delivery. It needs to be host.domain.com (where host can be anything you like and domain.com is your domain name).

If you have your email delivered directly via an MX record, then you should change it to match the name on the MX record.
For example, if your MX record says mail.domain.com then enter mail.domain.com in to that box.

If your email comes in via a POP3 connector or an SMTP feed from the ISP/Host, then ask your domain name registrar to create a new host pointing at your server. If not already used then use mail.domain.com, but you could use anything you like - such as owa.domain.com, post.domain.com etc.

Simon.
0
 
2170059Author Commented:
This is obviously the heart of the matter. We have one satellite isp with static ip that provides internet service. We have another isp with 2 dialup accounts that resolves or domain name into one of those email accounts and mail is extracted from their server via Outlook 2003. Would prefer that we get our email via our own exchange in sbs2003. So, is creating the mx record in dns and an A record for the isp and the ip for our domain name the correct step? and do we need the isp to change something? Yes , I'm new at this end of the business.
0
 
SembeeCommented:
There are actually two issues.

1. What the server announces itself for outbound email.
If you already have a static IP address then just get a host (A record) pointed at that IP and change what the server is announcing itself as in the box above.

2. Switching your email to direct delivery.
That isn't affected by the above change - you could still get the host created. Then you use the same host for your MX record. The MX record and host are setup by your domain name registrar. That might be your ISP, it might be someone else.

Simon.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now