Solved

SSL Certificate showing as expired in SBS2003 Default Web Site/Outlook Web Access

Posted on 2010-09-22
12
2,479 Views
Last Modified: 2012-05-10
Ok, so I am at a loss here.  We are running a Microsoft Windows SBS 2003 Server with ISA.  I did not configure this server, and whoever did set it up with a self signed SSL certificate for the Default Web Site and it's virtual directories (including Exchange OWA).  It had been working fine but we decided it was time to get a 3rd party SSL so we purchased one and installed it.  Once installed and applied to the website, and then on the incoming web requests in ISA, access was cut off to both the default web site and OWA, both internally and externally.  As a temp fix, I went back and reapplied the old self signed certificate in the exact same fashion as it was before the install of the 3rd party certificate (including again on the incoming web requests in ISA) , but still no luck.  Receive the following message still both internally and externally:

500 Internal Server Error - The received certificate has expired. (-2146893016)
Internet Security and Acceleration Server

But I have checked time and time again and the certificate is not expired.  What's perplexing is that I have reconfigured the entire setup in the exact same way it was configured prior to the attempted 3rd party certificate install and now it's not working.  So, as of right now, neither OWA nor the default web site is accessible.  As you can imagine, this is not good for business.

Any help would be greatly appreciated.  Thanks in advance!
0
Comment
Question by:spideyboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 10

Expert Comment

by:PlusIT
ID: 33741472
That is very odd. Are you sure you setup everything correctly in the certificate chain?

You should have two certificates if i recall right from back those days.  One for the outside and one for the connection between ISA and the webservice.
You can also try to make the internal connection not via SSL to see if it's the cert at the outside who's giving you issues.

0
 
LVL 3

Expert Comment

by:AnakiMana
ID: 33741489
Dumb question, but have you double checked the server's date and time are correct?
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33741533
"500 Internal Server Error - The Received Certificate Has Expired (-2146893016)" Error Message When Users Try to Log On to a Published Web Site
http://support.microsoft.com/default.aspx?scid=kb;EN-US;823074


Do you see that the cert. is available @ the MMC > cert.\Machine store?
If not can you install/place a cert. on this location.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:spideyboy
ID: 33745094
AnakiMana, yes date and time are correct.  
0
 

Author Comment

by:spideyboy
ID: 33745155
PlusIT, well, everything looks to be setup correctly in the certificate chain.  As I said, I didn't do the original configuration on this machine, but the self signed certificate was working prior to the attempted install of the 3rd party certificate, and the server has been reconfigured in the exact same way it was setup prior to that attempted install so I am stumped.   When you say there should be two certificates - can you explain in more detail?  Also, I attempted turning off SSL with no luck.

0
 

Author Comment

by:spideyboy
ID: 33745265
Aravind,

There is no folder called machine store in mmc/certificates.  The certificate in question is in both the personal and trusted root certificates folder.  Does it need to be somewhere else?

0
 
LVL 10

Expert Comment

by:PlusIT
ID: 33745997
hi spidey

what i mean that there are two certificates is the following.

Your outside client initiates a websession for OWA (outlook web access) so he types in http://mail.company.com/owa
He is provided with a certificate from the outside webport from ISA server which has a CN=mail.company.com

Once the webrequest from the client comes in the isa server turns around and forwards the request to the internal owa server lets say https://exchange-srv/owa.  There's your second certificate and now the CN=exchange-srv.  

Maybe one of those two has expired and you are checking the wrong one?  What i mostly did but not sure if your security policy allows it is to not use SSL between the ISA and internal server connection.  If you could do that you know then sure the problem is with the certifcate at the outside of the ISA server.

There is offcourse a trick that you can use the same certificate by tricking the internal ISA side to use the same CN as the outside one (you usually bypass DNS then via the hosts file)but if i remember correct this is not best practice.
0
 

Author Comment

by:spideyboy
ID: 33748554
Well that's not how this system was originally configured.  It was configued with one certificate for both the outside connection (incoming web requests) to ISA and the internal connection. And it had been working just fine.   When I turn off the SSL between the ISA and the internal server connection, it tells me this page cannot be displayed without an SSL connection, even if I uncheck the require secure channel option on the directory in IIS.  I'm at a loss.  
0
 

Author Comment

by:spideyboy
ID: 33749562
Ok, so I basically cleaned out all of my certificates and started from scratch with a re-keyed 3rd party certificate and now I'm getting this error:

11004 - Host not found
Internet Security and Acceleration Server

Can anyone help me figure out what I've configured incorrectly in ISA?  
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 33751750
how is your internal connection between isa and the webserver setup ?
0
 
LVL 10

Accepted Solution

by:
PlusIT earned 500 total points
ID: 33751770
tell me exactly what ports and host etc.. also try entering your outside host on the isa server in the hosts file tricking it into believing it's the internal webserver ip.  
0
 

Author Comment

by:spideyboy
ID: 33759032
It was actually a DNS and web publishing issue.  I figured it out today.   PlusIT your comments/tips got me thinking in the right direction so I will give you the points.  Thanks again!!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question