amlydiate
asked on
Have wrecked OWA SSL on Exchange 2007 - Certificate problem
Hi all,
Having a knightmare with a 2008 server, in my attempts to try and get various Autodiscover/RPC issues fixed something changed and a couple of clients inside the network started to get autodiscover certificate errors saying the name on the certificate was invalid. I've since logged on to OWA externally and I'm getting a certificate error as well saying "The certificate was not issued by a trusted authority" even though it is a UCC multi-domain GoDaddy certificate. So I think I've managed to do something wrong with the certificate being used by OWA and Autodiscover. I've gone into ESW and typed get-exchange certificate and got the following back:
19AB70EE2E4046A7B4725408C0 DC832F9780 E517 ...WS CN=remote.domain.CO.UK
01236CDAAA070508368F9CD859 0E75962BD9 604E IP..S CN=owa.domain.co.uk, OU=Domain Control Validated, O=owa.s-domain.co.uk
BACFEA951F15377FD37924BE6D 222252AFA7 392B ..... C=UK, S=shire, L=don, O=company, OU=IT, CN=owa.domain.co.uk
A7685EF4F7217F14050C8A712F C9E0478F1F 1055 ....S CN=remote.domain.CO.UK
6EAB45E4F154F85D80B00FD0AF 616462B08A 7D3B ....S CN=remote.domain.CO.UK
3125E1144085E4EB2EC09CD555 86EF2BAE1F 2CF0 ....S CN=SERVER.domain.local
4EDDE5C2C3C42BF23345ED0F1D 741E0E5C4E C3F3 ....S CN=Sites
C2551C26BCAA30B3B6181005FE C118694B0F 3DB3 ..... CN=domain-SERVER-CA
9EF59648147547251196342C12 AF45196605 B4C5 ..... CN=WMSvc-WIN-SER9SCTHZ40
I should point out that the thumbprint of the godaddy certificate is the one ending in 604E. The URL I want to use for OWA is owa.domain.co.uk I included remote.domain.co.uk as a SAN in the GoDaddy certificate as I wanted to use that as the URL for VPN in the future. Accessing remote.domain and owa.domain however both end up in the same certificate error.
I've checked the certificate when trying to access OWA and it looks like it's the wrong one.
Can anyone please tell me how to fix this?
Many thanks in advance
Adam
Having a knightmare with a 2008 server, in my attempts to try and get various Autodiscover/RPC issues fixed something changed and a couple of clients inside the network started to get autodiscover certificate errors saying the name on the certificate was invalid. I've since logged on to OWA externally and I'm getting a certificate error as well saying "The certificate was not issued by a trusted authority" even though it is a UCC multi-domain GoDaddy certificate. So I think I've managed to do something wrong with the certificate being used by OWA and Autodiscover. I've gone into ESW and typed get-exchange certificate and got the following back:
19AB70EE2E4046A7B4725408C0
01236CDAAA070508368F9CD859
BACFEA951F15377FD37924BE6D
A7685EF4F7217F14050C8A712F
6EAB45E4F154F85D80B00FD0AF
3125E1144085E4EB2EC09CD555
4EDDE5C2C3C42BF23345ED0F1D
C2551C26BCAA30B3B6181005FE
9EF59648147547251196342C12
I should point out that the thumbprint of the godaddy certificate is the one ending in 604E. The URL I want to use for OWA is owa.domain.co.uk I included remote.domain.co.uk as a SAN in the GoDaddy certificate as I wanted to use that as the URL for VPN in the future. Accessing remote.domain and owa.domain however both end up in the same certificate error.
I've checked the certificate when trying to access OWA and it looks like it's the wrong one.
Can anyone please tell me how to fix this?
Many thanks in advance
Adam
did you install the intermediate certificates? If not it can cause a problem because the server itself cannot find the trusted root-certificate. If you re-download the certificate there should be 2 files, 1 is the certificate and the other is the intermediate certificate.
Let's try to get the external side working first.
Try:
Enable-ExchangeCertificate -thumbprint 01236CDAAA070508368F9CD859 0E75962BD9 604E -services "imap, pop, iis, smtp"
Try from an external site to access your OWA. Please note the FQDN that you type from an external computer MUST match the FQDN for which you registered your SSL . IE if you registered "mail.somewhere.com" with Godaddy for an SSL certificate, you must try to go to "mail.somewhere.com" .
Let me know if the certificate error continues from the outside.
Try:
Enable-ExchangeCertificate
Try from an external site to access your OWA. Please note the FQDN that you type from an external computer MUST match the FQDN for which you registered your SSL . IE if you registered "mail.somewhere.com" with Godaddy for an SSL certificate, you must try to go to "mail.somewhere.com" .
Let me know if the certificate error continues from the outside.
ASKER
Hi, ran the command and got the following error:
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'SERVER.domain.local' because the
CA-signed certificate with thumbprint '19AB70EE2E4046A7B4725408C 0DC832F978 0E517' takes precedence. The following connectors
match that FQDN: Default SERVER.
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'remote.domain.CO.UK' because the
CA-signed certificate with thumbprint '19AB70EE2E4046A7B4725408C 0DC832F978 0E517' takes precedence. The following connectors
match that FQDN: Windows SBS Internet Receive SERVER.
I just don't understand how these other certificaes suddenly got involved.
Things seem really messed up now, would appreciate any more help if you can.
Many thanks
Adam
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'SERVER.domain.local' because the
CA-signed certificate with thumbprint '19AB70EE2E4046A7B4725408C
match that FQDN: Default SERVER.
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'remote.domain.CO.UK' because the
CA-signed certificate with thumbprint '19AB70EE2E4046A7B4725408C
match that FQDN: Windows SBS Internet Receive SERVER.
I just don't understand how these other certificaes suddenly got involved.
Things seem really messed up now, would appreciate any more help if you can.
Many thanks
Adam
ASKER
I think this is a problem with some confusion/conflict between the external FQDN's owa.domain.co.uk and remote.domain.co.uk but not sure how to correct this. I've just changed the FQDN of the send connector from remote.domain.co.uk to owa.domain.co.uk The name of the UCC certificate if I view it is owa.domain.co.uk however I included remote.domain.co.uk as a san in that certificate. Oddly when I try https://owa.domain.co.uk I get Error 403 Forbidden Access Denied. I think what I need to do is remove all references to remote.domain within Exchange/IIS and set everything as owa.domain any help in acheiving this and getting everything pointing to the same UCC cert would be great.
Many thanks
Adam
Many thanks
Adam
I believe you need a Receive connector with the FQDN to match your SSL FQDN . Open the properties of your Receive connector and look at what the FQDN is presently.
Sorry... Try to change it to the FQDN of your SSL certificate. If it doesn't let you, create a brand new Receive connector and give it the correct FQDN from the beginning. Then you can delete the old Receive connector. Then re-try the enable exchange certificate cmdlet.
ASKER
OK from what I can tell I have no receive connectors, I've googled and it seems to be tied up with Edge Subscriptions. I have looked under the Edge subscriptions tab and nothing has been set up, have I missed an important step not having a receive connector?
Thanks
Adam
Thanks
Adam
ASKER
Sorry ignore that I've found the receive connectors. The FQDN on the default one was set to servername.domain.local so should I change that to the principal name of the SSL cert i.e. owa.domain.co.uk?
Thanks
Adam
Thanks
Adam
Yes exactly, it has to match. In some cases, Exchange will not allow you to change it. Just create another one, and specify "owa.domain.co.uk" right from the get go. After the second receive connector (if required) is added, copy all other settings from your first receive connector.
Then delete the first receive connector and try the cmdlet again.
Then delete the first receive connector and try the cmdlet again.
ASKER
OK I deleted the default receive connector and created a new one using the proper fqdn then ran the Enable-ExchangeCertificate -thumbprint 01236CDAAA070508368F9CD859 0E75962BD9 604E -services "imap, pop, iis, smtp" command and that worked thank you.
I do have one worry, does it matter what IP address range I use in the "Receive mail form remote servers that have these ip addresses" section bearing in mind I don't have any other mail servers as part of ther organisation?
Thanks
Adam
I do have one worry, does it matter what IP address range I use in the "Receive mail form remote servers that have these ip addresses" section bearing in mind I don't have any other mail servers as part of ther organisation?
Thanks
Adam
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Lance you are an absolute star, thank you very much for your help and your very clear explanation, all working great now!
Thanks for the nice comment. Just new to EE and its pretty cool.
All the best,
All the best,
ASKER
Thanks
Adam