We help IT Professionals succeed at work.

RPC/HTTPS and Iphone not working on Win 2003 server since certificate expired

Hi - We recently had an  expired SSL certificate which we replaced on our Windows 2003 R2 server - However when we installed it, we can no longer access any sites, like OWA etc...
Although the common name and settings seems excaclty as the certiifcate before it. I am forced to then use an SSL certificate thats self created but this only gives access to OWA (with a warning) but Iphones and RPC/Https for Outlook does not work desptie installing certificate locally -

I am really stumped and desperate to the get the resources working again but worried there may be another issue with the server which is manifesting itself through the certificates.

Cheers
Comment
Watch Question

Distinguished Expert 2018

Commented:
The fact that you can use a self-signed certificate makes me believe that there is not a "larger issue" going on with your server, but simply that your certificate is not installed properly. Try going through the process of re-keying your certificate with your 3rd-party provider, install it, and then check your entire configuration (activesync for iphones and Outlook Anywhere...the former RPC over HTTPS) via the Microsoft tool at www.testexchangeconnectivy.com. Take its advice and create a test account, but it can pinpoint issues in pretty good detail.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Who generated the original SSL certificate?  A 3rd party or was it from your own server?
If it was from your own server - you will need to re-install the certificate onto all computers that use RPC over HTTPS because the certificate is not trusted.
For Activesync with an iPhone, the iPhone could not care less about who issued the certificate, so that should work, but as it does not, something else must be happening.
To make your life a thousand times easier, you would be better off spending £30 to buy a 3rd party SSL certificate from the likes of GoDaddy (1 year single name certificate) and then installing that.  It will eliminate the need to install the self-signed certificate on your clients and will also mean that troubleshooting will be easier.
I would imagine that on the iPhones, you will have to delete the account and set it up again, accepting the certificate warning, but to be sure, please run the Exchange Activesync test on https://testexchangeconnectivity.com, specify manual server settings and tick the "Ignore Trust for SSL" because you have a self-signed certificate.

Commented:
Check the naming on the old certificate and compare it with the new certificate, if these don't match change the new certificate to be the same as the old certificate and go through the process of re-registering within cerificate services/ IIS. As cqaliher states check things out using the microsoft tool stated within the post. It may also be worthwhile considering using a certificate provided by godaddy or another public certificate authority, as they provide details on how to create and install

Author

Commented:
Thanks for all the tips so far - the thing is , i have been using a godaddy certificate up until the 7th of June when it expired - i then dowloaeded a replacement one from Godaddy but when i install it, OWA, RPC/HTPPS etc.. doesnt work - the fact that i cannot browse to the OWA site means something is not correct yet ,i did not change anything , i simply got a renewed certificate. The CN looks same as it ought to be which is mail.mydomain.co.uk and following the instructions from Godaddy i still get the same issue, hence why i turned to a self made certificate - However, i have fiddled around so much now that even the selfmade one no longer works - i get to OWA but it rejects all logins - Ideally i want to crack the issue using Godaddy but if that fails then at least get OWA/HTTPS working because clients are screaming -

Domain Name Masked to protect your identity

Alan Hardisty
Experts Exchange Zone Advisor

Open in new window

Alan HardistyCo-Owner
Top Expert 2011

Commented:
Your certificate showing on the website is issued to server.yourdomain.local which will never work on a certificate (.local is not internet resolveable).
If you renewed via GoDaddy, the certificate is not installed properly as it is showing a self-signed certificate.

Certificate Name Masked to protect your identity

Alan Hardisty
Experts Exchange Zone Advisor

Open in new window

Alan HardistyCo-Owner
Top Expert 2011

Commented:
Revert back to the GoDaddy certificate and we will see if we can't get you working again.

Author

Commented:
Ok Chaps i have now reverted to the Godaddy certificate - our OWA site is https://mail.mydomain.co.uk/exchange, which i cannot access now that its been changed to the Godaddy certificate. Let me know if you gather any clues - thanks
Domain Name Masked to protect your identity

Alan Hardisty
Experts Exchange Zone Advisor

Open in new window

Alan HardistyCo-Owner
Top Expert 2011

Commented:
That does not resolve / connect anymore.
Distinguished Expert 2018

Commented:
Your server is behaving like I'd expect a server to behave if it doesn't have the proper private key for an SSL certificate. I'll reiterate my advice from above:

Create a new CSR via IIS, go to GoDaddy and request a "rekey" of the certificate. This is essentially getting a new certificate, but it doesn't cost anything because the "subject name" is not changing. Then go through the process of installing the new certificate *and* any intermediate certificates that you may need (even if you think you've installed them before.) Then perform an IISReset.

Author

Commented:
Thats what i mean and i dont understand why - is it something to do with the way the certificate is composed or placed within IIS? i am sure i did the same thing last year and it worked a dream -
Alan HardistyCo-Owner
Top Expert 2011

Commented:
It is also worth following step 13 onwards from the following GoDaddy Help page to make sure you are not using the wrong certificate:
http://help.godaddy.com/article/4875 

Author

Commented:
Well , when i did the wizard , there was no Go Daddy Certificate in the Trusted Root Certification Authorities folder , so i just proceeded to step of installing the SSL certificate and boom! i lose all connection to the websites - i wonder if the certificate is screwed -
How can i at least get back to working order with an internal certifcate whilst i wait to fix the external one?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Open up IIS manager, expand your websites, open up the default website, then right-click the default website.  Click onto the Security Tab and then remove the certificate and replace with the self-signed one.
Then go back to GoDaddy and re-key as suggested, for which you will have to remove the self-cert certificate and regenerate a Certificate Signing Request and then re-key on the GoDaddy site, then re-install the re-keyed certificate.
Your wesbites will be down until you install the re-keyed certificate.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Okay - site is back now.

Author

Commented:
Okay - i have rekeyed and downloaded the certificates , now going to back to the wizard , i reach the stage where it says "Process the pending request and install the certificate" and then enter the path and file name of the file containing the certiifcation authority; response - when i browse to the certificates i dowloaded from Godaddy , its looking for a *.cer whereas the certificates are not in that format - i have two certifcates :

gd_iis_intermediates.p7b
mail.mydomain.co.uk.crt

So should i select all files and then the .crt one?
Should Godadday have issued me with a .cer?
Domain Name Masked to protect your identity

Alan Hardisty
Experts Exchange Zone Advisor

Open in new window

Alan HardistyCo-Owner
Top Expert 2011

Commented:
Change the format.  You have a drop-down box where you can choose the file type for  the certificate being looked for.  Change it to .P7B and it will find the GoDaddy certificate.

Author

Commented:
Yep , i did that and it works in as much as the website is up now with the Godaddy certificate - so thanks for the guidance there -

However , i have another issue which i think i may have caused when fiddling yesterday (STUPIDLY!!)
Basically, i cannot authenticate with any usernames/ passwords , it says its the wrong UN/PWD - i may have fiddled with authenitcation last night comparing settings wth another server we have - end result is that we cannot login to OWA !!! :((
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Have a read through my Activesync article and check your IIS permissions.  The article should get your Activesync working and may fix the OWA error too:
http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Exchange-2003-Activesync-Connection-Problems-FAQ.html 

Author

Commented:
Ok , i will recheck through this artcle then - bear in mind that up until yesterday i was able to login to OWA so i reckon its somelthing i have touched but not sure - i cant recall anything from the top of your head that could prevent a username and password not working in OWA , including administrator?
In the meantime i will read through your link - thanks
Alan HardistyCo-Owner
Top Expert 2011

Commented:
It is probably down to iis permissions not including Integrated Authentication on the Exchange virtual directory.  If you make a change, run iisreset afterwards.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Don't forget that the https://testexchangeconnectivity.com website will be very useful in testing / resolving iis settings issues.

Now you have a 3rd party certificate, you don't need to ignore trust for ssl in the activesync test (still specify manual server settings though), and you can now use the rpc over https test, also specify manual server settings.

Author

Commented:
I cannot see an authentication tab under Exchange Virtual directiory , is this because it inherits it from the default website?
See below for the settings i have in there : thats the only place i can see where i can edit the authentication.

Capture.JPG
Alan HardistyCo-Owner
Top Expert 2011

Commented:
If that is the Exchange virtual directory, lose the anonymous access and include basic authentication

There is no Authentication tab, you need the security tab, then top edit button (if my memory serves me correctly).

Author

Commented:
Hi Alan,

Well, i managed to get OWA working again , so now all our mac clients can connect - The issue was with forms based authentication which i deselected and re-selected -

I am still stumped on Active-Sync and RPC/HTTPS - i am following your instructions and found a few changes to be made but wanted to double check with you first as i wasnt sure whether the realm was to be .local or .co.uk (we dont host .co.uk internally)

Capture.JPG
Co-Owner
Top Expert 2011
Commented:
Default Domain / Realm is not crucial - but what you have put in the image should be fine.

Author

Commented:
ok - i think following those instructrions to the book , when it came to authentication , has resolved the issue - i now have RPC/Https + ActiveSync+ OWA all working again - i still dont quite know why i had to do all that work just because of the certiticate but i am not complaining!

Thanks so much for your guidance
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Great news - glad it is all going again and thaks for the points.
You may have messed with the IIS settings trying to get the cert working and once you do one thing, it may have had a knock-on effect.
Either way - the fact that it is working is good news and with any luck - it will stay that way for a long time (at least until the certificate expires).
I will remove references to your domain name in the question now as you don't want unwanted attention from Googlers!!