Solved

Broken Exchange 2007 OWA after SSL Install

Posted on 2010-09-01
23
917 Views
Last Modified: 2012-05-10
I was following instructions online after unsuccessfully installing a renewal SSL cert for exchange 2007 owa.  It had me run a command to overwrite the default SMTP cert by using this "certutil -repairstore" command.  After I ran that, I went from users getting a cert error to a 404!  Anyone have any ideas how I can get my OWA back up and running?

Running SBS 2008 with Exchange 2007
0
Comment
Question by:SteveMat11
  • 11
  • 10
  • +1
23 Comments
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33574699
I would remove the certificate (assuming you still have a copy of it from your CA) and go through the following steps:

How To-Enable SSL on Exchange 2007 services.

Step 1: Obtain a SSL certificate- E.g. www.thawte.com or www.verisign.com
Step 2: Import the SSL certificate and copy thumbprint.
- Run the following command where “c:\newcert.cer” is the location and name of your certificate: Import-ExchangeCertificate -path c:\newcert.cer
- Copy the thumbprint by doing the following:
- Open the Exchange Management Shell.
- Run the following command: dir cert:\LocalMachine\My | fl
- Locate the certificate you just imported and copy the Thumbprint property to the Windows Clipboard.
Step 3: Enable the certificate on the Default Web Site:
- Open the Exchange Management Shell.
- Run the following command: enable-ExchangeCertificate -thumbprint [value you got from above] -services “IIS,IMAP,POP”
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33574704
Do you have SP2 for Exchange on SBS machine?
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 33574708
Does the Exchange 2007 is updated with the latest servicepacks? If not, update it. It will fix the problem.

Hope this helps,
Shree
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:SteveMat11
ID: 33574775
Tony, I tried those exact instructions.  It asked me if I wanted to overwrite, I said yes.  I still have nothing.  I am using a GoDaddy SSL Cert.  Thanks for any help you can give.
0
 

Author Comment

by:SteveMat11
ID: 33574789
Not sure if this matters but the cert file extension is .crt not .cer
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33574802
Hmm. Can you see the certificate in the cert manager snapin?

Start -> Run -> MMC -> File -> Add/Remove Snapin -> Certificate -> Computer Account -> Local Computer

Can you confirm the certificate is there and has a private key?
0
 

Author Comment

by:SteveMat11
ID: 33574818
yes, it is showing and says I have a private key.  Interesting though, our owa address is "maildotcihvadotorg.  If I access it now with a https:// instead of a http://, im getting something but still not owa.  Any ideas?
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33574832
Ah yes - OWA in 2007/2010 has to be via HTTPS

What are you getting now?
0
 

Author Comment

by:SteveMat11
ID: 33574842
Error 403
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33574885
I'm seeing 503 when I look (when I reread, I saw your owa address!) - service unavailable.

Has anything else changed? Any other software installed?
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33574890
If you're getting 403, I suspect you aren't adding /OWA to the end of the web address?

i.e. https://address/owa
0
 

Author Comment

by:SteveMat11
ID: 33574891
nothing, i believe you got the 503 when I was restarting iis.
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33574915
Ha yeah that'd do it :)

This is weird because your cert looks ok from here although once we get this going we maybe need to talk about SAN/UC certs down the line.

Anything in the event logs?
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33574953
If you run the Get-ExchangeCertificate command, what do you get back?
0
 

Author Comment

by:SteveMat11
ID: 33574958
nope, checked there.  Basically what I did right before it broke was did a -repairstore on the cert per instructions I had found line since I was getting an error while trying to install it.  It said something about private key missing and the instructions said to use the repairstore command if that happened.  As soon as I did that, it stopped working.  
0
 

Author Comment

by:SteveMat11
ID: 33574979
i get back the following:
mail.cihva.org (this is what I purchased from godaddy) Services are "WS"
livewire  - no services
remote.cihva.org "IPWS"
WMSVC-WIN-SOMETHING.... No services
sbsserver.cihva.local "IPS"
Sites "IPS"
CIHVA-SBSSERVER-CA ..... No services
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33575016
Try this:

enable-ExchangeCertificate -thumbprint [value you got from above] -services “IIS,IMAP,POP,SMTP”
0
 

Author Comment

by:SteveMat11
ID: 33575026
tried that, nothing
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33575080
I'm getting the address rewrite in the IE address bar now but it just times out.

Can you have a quick look through the event logs?
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 33575136
mail.cihva.org (this is what I purchased from godaddy) Services are "WS"

W = Web
S = SMTP

That should be ok for what we're doing.

The only solution I can see for this appears quite drastic:


Uninstall IIS
Reinstall IIS
Uninstall CAS
Reinstall CAS
Reregister OWA in IIS

The following URL http://support.microsoft.com/default.aspx?kbid=320202
0
 

Author Comment

by:SteveMat11
ID: 33575142
Would you be opposed to rdping in and taking a look?  If not, email me at stevem11 at optonline dot net
0
 
LVL 25

Accepted Solution

by:
Tony Johncock earned 500 total points
ID: 33581246
Wow...what a complete pig of a problem.

For anyone else in the same boat, I followed steps to recreate the OWA virtual directory from within EMS but it didn't work.

In the end, we ended up agreeing to bite the bullet and put Exchange SP2 on - for anyone else who needs to do this on SBS 2008, the easiest way is as follows:

Update Windows Installer to 4.5
Download Exchange 2007 SP2
Download the SBS Exchange 2007 SP2 Installer
Extract the SP2 files
Install and run the SP2 installer and follow the instructions

Ensure that the default website has nothing bound for https / 443.

At this point, I needed to tell the SBS Applications Website to use the correct certificate as it had reverted to using the self-installed one.

Reboots may be required after MSI 4.5 and Exchange SP2.
0
 

Author Closing Comment

by:SteveMat11
ID: 33582594
Still cant believe he figured this one out.  Thanks for all of the help!!!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question