Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

iPhone no longer syncing with exchange mailbox - ExRCA testing failed

Posted on 2010-08-25
15
Medium Priority
?
746 Views
Last Modified: 2012-05-10
Hi there,

I have an SBS2008 server, I was receiving emails on my iPhone 3G with no problems, it was syncing with my exchange mailbox fine. It has now stopped working.

I ran the exchange connectivity test and receive the following results:

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name mail.companyname.co.uk in DNS.
       Host successfully resolved
       
      Additional Details
      Testing TCP Port 443 on host mail.companyname.co.uk to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      The certificate name is being validated.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name mail.companyname.co.uk does not match any name found on the server certificate CN=localhost.localdomain, OU=Systems Engineering, O=N-able Technologies, L=Ottawa, S=ON, C=CA
0
Comment
Question by:unrealone1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33526158
Did your Server Certificate expire recently and get replaced with the wrong one?
It certainly sounds like a certificate problem to me. It seems the certificate was re-issued / replaced with a localhost.localdomain certificate and not one with mail.companyname.co.uk.
That will kill Activesync stone dead in seconds.
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33526378
No one has touched our server recently - I go SBS Console > add a trusted certificate > "I want to use a certificate that is already installed on my server" > select next

Issued to: mail.mycompany.co.uk
Issued by: domain-SERVERNAME-CA
Expiration Date: 16-03-2011
Type: Self issued

 It fails to import the trusted certificate

"The imported certificate does not match your website, verify you have selected the correct certificate and try again" etc
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33526492
If nothing had changed, how has the iPhone been synching before now?

If the certificate has not changed, have you changed the handset to use SSL when it wasn't using it before?

Ideally, you would be better off buying a 3rd party SAN / UCC certificate and installing it.  GoDaddy sell them for about £40 for a year.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 33526577
I'm with AlanHardisty on this. Things rarely change for no reason, and a 3rd-party certificate would be the easiest to manage.
But, I reply not simply to agree, but to also explain what you are seeing. The Trusted Certificate wizard does two thiings. first, it generates the private key for a certificate and generates the CSR for a public key to be created. Then, if you choose, you can self-issue a certificate and then complete the wizard, or you can submit the CSR to a 3rd-party and then return to the wizard later to import the public key they issue.
Either way, when you choose the option to import a certificate, that option only imports the public key. That publc key must be matched with a private key already in the certificate store (which is *never* submitted to a 3rd-party, or it'd defeat the purpose of the key being private.)
If you attempt to import a public key that the wizard cannot find a matching private key for, you will receive the error you described in your follow-up post.
So, in short, the private key for the certificate you are now trying to select has been removed from your certificate store at one time or another. The only option now is to create a new certificate; whether you choose to go self-signed or go 3rd-party is up to you, but you cannot simply import the existing certificate (as you already discovered) for the reasons I covered above.
-Cliff
 
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33537939
Thanks for the info,

How would I go about creating another certificate?
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 33538023
Well, as mentioned above, ideally you would purchase one (which I strongly recommend. The "add trusted certificate wizard" will walk you through that process.
If, however, you are dead-set on using an internally signed certificate, the "add trusted certificate wizard" is not the proper tool. As the name implies, that tool is for "trusted" certificates (which is more explicitly meant to mean globally trusted...aka 3rd-party...)
An internal certificate is created when you run the Internet Addres Management Wizard. Rerunning that wizard will reset your DNS entries and create a new certificate with its deployment package. That should resolve your issue.
-Cliff
 
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33539916
Thanks, why is it recommended to purchase a certificate over creating one? You say its easier to manage?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1000 total points
ID: 33539965
3rd party ones are much easier to support.  You don't need to install certificates on devices, they will stop causing you issues with Certificate warnings etc and for the cost, you will save time and money fixing issues associated with a self-signed certifictae.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33539989
Visit www.godaddy.com (or my reseller site via my profile if you wish ; )  ) and buy a multi-name SSL certificate (SAN / UCC).
You will need the following names in your certificate:
mail.yourdomain.com (or whatever you want to use that points to your server in DNS)
autodiscover.yourdomain.com
internalservername.internaldomain.local
internalservername
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33540788
If I got to
http://www.exchange-certificates.com/ I get the option of standard or deluxe?

If I got to godaddy, http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039

I can choose between standard and premuim, these the right certificate I need to purchase? Which one?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33540928
Standard Multi-Domain one from the first link should be all you need, or Standard Multi-Domain is fine on the GoDaddy link.
5 names should be sufficient unless you plan on expanding the domain names in the near future.
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33541334
Thanks I purchased the standard multidomain  certificate from godaddy, paid and logged in.

I followed the instructions so far, but its asking me to enter:

Where is the certificate going to be hosted, I selected thridparty.
Then it askes for:
Enter your Certificate Signing Request (CSR) below:
Make sure the CSR you generate uses a 2048-bit or greater key length

What is this?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33541401
The CSR is generated on your server (Certificate Signing Request).
Open up the Windows SBS Console and on the Home Page click on the "Add a trusted Certificate" link.
Follow the prompts.
Alternatively, use the Exchange Management Shell by reading the following:
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx 
Or generate the CSR on this site:
http://www.tachytelic.net/2010/03/new-exchangecertificate-cmdlet-syntax-generator/ 
0
 
LVL 1

Author Comment

by:unrealone1
ID: 33578128
Thanks, well that was painful. I purchased certificate, then placed a CNAME on my website to prove I own the domain etc. Godaddy have now sent me the certificate.

I have imported it into the sbs console.  
I select the godaddy certificate and click next, it imports it and then says.
"The imported certificate does not match your website. verify that you selected the correct certificat file, and then try again"
In the certificate I have mail.mycompany.co.uk and my website is mycompany.co.uk

0
 
LVL 1

Author Closing Comment

by:unrealone1
ID: 33594830
Thanks - will open another question for the next part
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Is your phone running out of space to hold pictures?  This article will show you quick tips on how to solve this problem.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question