Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2007 apparent certificate error

Posted on 2010-11-22
14
Medium Priority
?
307 Views
Last Modified: 2012-05-10
Hi,
This is Exchange Server 2007 running on Windows Server 2003 R2 Standard SP2 x64.
The system has been running since late 2007
In October 2009 I installed a GlobalSign ssl certificate so that mobile workers could use Outlook, some using the https connection to Exchange, some preferring to use Outlook Web Access.
This is still working fine.

However, recently I am getting errors in the Application Event log telling me that the current certificate for this server has expired, and yet the expiry date is clearly marked as October 2011

I should also add here that the status of the certificate has always appeared as 'Invalid' in the managment shell listing from the day it was installed (as shown in one of the attached screen shots)

Because of the recent errors appearing I am now concerned that the system may stop working, so I would like to find and correct this anomaly .

I did of course try to sort this out with Global Sign when the certificate was originally installed, but we failed. I eventually left it because the system was actually working fine.

As always any suggestions are welcomed.
 Management shell listing showing the Invalid status Screen shot showing the certificate status as OK Screen shot confirming the dates for the certificate This Application log entry is now appearing regularly
0
Comment
Question by:Nick Brown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
14 Comments
 
LVL 33

Expert Comment

by:Busbar
ID: 34187517
this is done because the FQDN of the certificate doesn't mach server.bleplantsales.com so either change that name to a name included in the cert or include that name in the cert
0
 
LVL 9

Expert Comment

by:losip
ID: 34187603
@busbar: Difficult to tell thru the yellow marker but the name looks right to me: bte-server.bteplantsales.com
0
 

Author Comment

by:Nick Brown
ID: 34187660
Hello busbar,

Thanks for your comment.

Actualy the server name is not 'server...'  Is this a special name that has to be used?
In all the places above, the server name listed is the same.

Nick
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 33

Expert Comment

by:Busbar
ID: 34187684
in the image it is bte-server.bteplantsales.com :) there is a missing name that wasn't highlighted :D
in both cases the name in the receive connector must be included in the cert
0
 

Author Comment

by:Nick Brown
ID: 34187886
Thanks for your comments, to be honest I was actually trying to hide the exact name, but I don't suppose it really matters :)

As far as I can see it is bte-server.bteplantsales.com everywhere.
However, there is also the internal name, which is bte-server.bteplantsales.local
Is this possibly causing the problem?

Nick
0
 
LVL 33

Expert Comment

by:Busbar
ID: 34187904
what i the FQDN on the receive connector
0
 

Author Comment

by:Nick Brown
ID: 34188017
The receive connector is using the internal name, i.e. bte-server.bteplantsales.local
0
 
LVL 33

Expert Comment

by:Busbar
ID: 34188038
then make it one of the names included in the certificate.
0
 

Author Comment

by:Nick Brown
ID: 34188061
ok, will that not 'break' the connection to all the internal PCs with Outlook which are also using the internal name?
They can't use the .com name because DNS points to the correct public IP.
0
 

Author Comment

by:Nick Brown
ID: 34188066
Sorry, I meant to that there is a spearate self generated certificate coverin the .local name
0
 
LVL 33

Expert Comment

by:Busbar
ID: 34188072
this is the FQDN on the receive connector presented to users when sending the hello message, it has nothing related to which name users are connecting
0
 

Author Comment

by:Nick Brown
ID: 34188129
I must apologise for my lack of understanding here. But please bear with me. There is another connector that says the response to HELO is the .com name.
This is in the HUB transport under 'Organisation Configuration'

The .local name is in the 'Server Configuration' section, also under HUB transport.

0
 

Accepted Solution

by:
Nick Brown earned 0 total points
ID: 34213472
Ok, I changed the name on the 'Receive Connector' in the 'Server Configuration' section to match all the others above, i.e. the one ending with .com, which also matches the domain named in the commercial certificate from GlobalSign.

There are other places in 'Server Configuration' where the name used is the .local name. Specifically in Server Properties, on the General TAB the name of the Domain controller servers and catalog servers. This information was automatically inserted at install time.

Everything is still working correctly, just as it was, but of course the errors are still just the same too, i.e. the system says the certificate has expired.

So, I took a closer look myself and I have the solution here. Probably there are many good Exchange Admins out there moderately amused by this, but never mind, here's what was wrong and what fixed it:-

First, the error, as shown above is specific about two things: it says expired, and it refers to the public FQDN (...com)
Fair enough, one of the 4 certificates was indeed expired, and referred to the public FQDN - the last one in the list issued by StartCom.

This, and the further clue that the short listing of get-ExchangeCertificate showed that the currently valid certificate from GlobalSign was only intended for IIS, shown as 'W' in the listing.

So the following three commands were all that were required. Two to remove the expired certificates, and one to generate a new, self signed certificate for the public FQDN. The GlobalSign was, and still is, working for Outlook Web Access and mobile devices.

Remove-ExchangeCertificate -Thumbprint FE69FECE056F3677999052EB67A7757D85447EED
Remove-ExchangeCertificate -Thumbprint BB0E89F501C7837AE5796B86444F785EB877A6A4
new-ExchangeCertificate -DomainName bte-server.bteplantsales.com

No more errors :)
0
 

Author Closing Comment

by:Nick Brown
ID: 34246197
I should have looked more carefully at my own question before posting. It wasn't really difficult. And the answer is straightforward, as I've shown it.
The experts probably assumed that I would have done this so were looking at lass obvious solutions.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question