Link to home
Start Free TrialLog in
Avatar of rbmacct
rbmacct

asked on

Event Id: 12016 (no valid SMTP Transport Layer Security (TLS) certificate)

I'm receiving alot of Event ID: 12016 errors in my event log.

Scenario.

Once had a SelfSigned Certificate.
Changed to a valid CA. Installed via IIS.

I'm assuming Exchange does not know about the new certificate, thus throwing these error(s).

I've read this thread. https://www.experts-exchange.com/questions/23584461/Event-ID-12016.html. But I'm not sure if this is what is needed, since I'm running a cert from a valid CA.

Can anyone please provide me with clearer instructions and/or the cmdlet's to satisfy this error?

Thanks.
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of ex1.RulesBasedMedicine.com. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of ex1.RulesBasedMedicine.com should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image


Hey,

It's because you installed with IIS. Really you need to be using the Exchange cmdlets through the console to install the certificate.

Lets see if we can see it in Exchange. If you could open up the Exchange Management Shell and run:

Get-ExchangeCertificate | Format-List

You'll see a few of them, the self-signed certificate will still be there and most likely bound to the SMTP service.

If you can see your new certificate there we can change the bindings so it's used for OWA and SMTP (and anything else we might need).

If you can't see it, can you export it from IIS, then we can import it into Exchange as a whole, making it available for the services there.

HTH

Chris
Avatar of rbmacct
rbmacct

ASKER

Chris,

I can see both of them. OWA is using the valid certificate, SMTP however is most likely not.

2 out of 3 are valid. However one is about to expire. I would like to use the valid certificate from godaddy (1 of 3 certificates showing) for all 3 services.

Thanks.

Good stuff, at least we don't have to re-import it. That means all we have to do is modify the server bindings. This should do:

Enable-ExchangeCertificate -Thumbprint <Thumprint> -Services SMTP

That assumes it's already bound to IIS. Is that the case?

You'll have to copy and paste the Thumbnail. You should get the full string from the command above.

You can also bind it to IMAP, POP and UM (Universal Messaging) if you need to.

Chris

Oh and once the old certificate is unbound, you should be able to use "Remove-ExchangeCertificate" to get rid of it.

Chris
Avatar of rbmacct

ASKER

Alright. This has been done 'Enable-ExchangeCertificate -Thumbprint <Thumprint> -Services SMTP'.

It took me to a fresh command line. I ran get-exchangecertificate | fl and it shows the same. Does this sound correct?


It should show the SMTP service bound to the new certificate now. Is that the case?

Chris
Avatar of rbmacct

ASKER

I don't seem to sounds ignorant but how do I tell? I can't see that from the get-exchangecertificate | fl command.

That's a good question :)

It returns quite a lot when we pipe into Format-List and I don't have Exchange 2007 here to check on.

But, if you run this on its own:

Get-ExchangeCertificate

You should find a short-list of all certificates installed on the system including the service they're bound to under the Services heading.

Hopefully you should see the certificate you installed in IIS, with IIS listed as one of the Services. Does that one also include SMTP?

Chris
Avatar of rbmacct

ASKER

No. The services that are listed are as shown:

1.) S...W
2.) .......
3.) SIP..

The only one showing correct is the first one (S...W).

I have no idea what those mean.


At a guess...

S = SMTP
I = IMAP
P = POP
W = Web

Is 1 the correct certificate?

Chris
Avatar of rbmacct

ASKER

Chris,

Yes, 1 is showing the correct certificate.
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
fyi

I just had this exact error.  I tried all this with no help.  Then i noticed that i was very low on disk space on the c drive of server.  So beware this error can be reported due to lack of disk space.
Hope this might help someone.
Terry