Johne75
asked on
Exchange SSL certificate is expired and also errors in event viewer
I am not at all familiar with certificates or the management shell. When I go into IIS and view the server certificates there are three. One for our company owa (i think) mail.flow-rite.com and two that appear to be the same for our echange server as the names are "Microsoft Exchange" and issued to and by our Exchange server EXCH01. When I view them they were both only valid until July 2010. I am also getting the error below in Event Viewer. According to our spam filter Vipre tech support I need to correct this to solve some issues we are having with Spam. I run the comand in the management shell defined in the error below and I get this:
cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Thumbprint:
I have no idea what to do or if this is even the right path to correcting the issue.
Her is the Event Viewer Error:
Microsoft Exchange couldn't find a certificate that contains the domain name EXCH01.Flow-Rite.lcl in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Flow-Rite.com Outbound with a FQDN parameter of EXCH01.Flow-Rite.lcl. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
cmdlet Enable-ExchangeCertificate
Supply values for the following parameters:
Thumbprint:
I have no idea what to do or if this is even the right path to correcting the issue.
Her is the Event Viewer Error:
Microsoft Exchange couldn't find a certificate that contains the domain name EXCH01.Flow-Rite.lcl in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Flow-Rite.com Outbound with a FQDN parameter of EXCH01.Flow-Rite.lcl. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
this should help you out..
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
if you use exchange 2007 without sp2 (or 3.. dont know atm).. you dont have to renew it every year.. in the latest sp version its valuable for 5 or 10 years. correct me if im wrong.
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html
if you use exchange 2007 without sp2 (or 3.. dont know atm).. you dont have to renew it every year.. in the latest sp version its valuable for 5 or 10 years. correct me if im wrong.
ASKER
abbasifft,
the two in question are self issued I believe the mail.flow-rite is godaddy. I see the thumprint numbers when I run the command. I assume this is what I need to enter when I run the command defined in the log error and it prompts me for thumbprint?
the two in question are self issued I believe the mail.flow-rite is godaddy. I see the thumprint numbers when I run the command. I assume this is what I need to enter when I run the command defined in the log error and it prompts me for thumbprint?
did you try this command?
Enable-ExchangeCertificate -Thumbprint <thumbprint of certificate> -Services SMTP
Enable-ExchangeCertificate
ASKER
When I do that I get this
cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Services:
cmdlet Enable-ExchangeCertificate
Supply values for the following parameters:
Services:
Enable-ExchangeCertificate -<your thumprint> -Services "IMAP, POP, UM, IIS, SMTP"
ubs... here we go again:
Enable-ExchangeCertificate -Thumbprint <your thumprint> -Services "IMAP, POP, UM, IIS, SMTP"
Enable-ExchangeCertificate
ASKER
abbasift,
I forgot to put the -Services SMTP at the end. When I do that it asks if I want to over write the third party certificate that isnt expired with the one that is expired already??
dahesi,
I have read through your comments as well...
I think we are close but everytime It asks me to overwrite the godaddy certificate with a certificate that is expired in 2010.
I forgot to put the -Services SMTP at the end. When I do that it asks if I want to over write the third party certificate that isnt expired with the one that is expired already??
dahesi,
I have read through your comments as well...
I think we are close but everytime It asks me to overwrite the godaddy certificate with a certificate that is expired in 2010.
ASKER
Confirm
Overwrite existing default SMTP certificate, 'xxxxxxxxxxxxxxxxxxxxxxxxx xxx"' (expires 7/29/2012
9:42:19 AM), with certificate 'xxxxxxxxxxxxxxxxxxxxxxxxx xxxxxx' (expires 7/1/2010 12:55:36 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Overwrite existing default SMTP certificate, 'xxxxxxxxxxxxxxxxxxxxxxxxx
9:42:19 AM), with certificate 'xxxxxxxxxxxxxxxxxxxxxxxxx
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I create new cert it still asks to over write the go daddy cert I click no and it creates one anyway. I enable it then the calls start to flood in with people getting this. What bothers me here is the error is saying its for the mail.flow-rite.com cert. It wasnt supposed to overwrite this.
Below is a screen shot of IIS manager. Top is the godaddy nexts is the newly created EXCH01 last two are the expired EXCH01. I have a feeling something happened that shouldnt have. Please advise.
Below is a screen shot of IIS manager. Top is the godaddy nexts is the newly created EXCH01 last two are the expired EXCH01. I have a feeling something happened that shouldnt have. Please advise.
ASKER
Here is the text from when I created the new cert and typed n for no and it still created it.
Confirm
Overwrite existing default SMTP certificate, 'xxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx "' (expires 7/29/2012
9:42:19 AM), with certificate 'F2C2215D8B25C1D1A514E9302 3F2ECC04E0 89FC8' (expires 9/19/2012 11:01:40 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): n
Thumbprint Services Subject
---------- -------- -------
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxx ..... CN=EXCH01
Confirm
Overwrite existing default SMTP certificate, 'xxxxxxxxxxxxxxxxxxxxxxxxx
9:42:19 AM), with certificate 'F2C2215D8B25C1D1A514E9302
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): n
Thumbprint Services Subject
---------- -------- -------
xxxxxxxxxxxxxxxxxxxxxxxxxx
ASKER
now of course I get the There is a problem with this website's security certificate when trying to browse to this site.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK help me out how do I do that? This is all new to me. And thanks in advance for your patience!
all these you can do from EMC, no need of EMS that will make you more confuse
how you created cert, From EMC or EMS?
ASKER
I didnt create any of the certs initially, just the one we discussed today. I created the new cert in the exchange Shell per instruction on this thread. But thats is very confusing. Can I do this in the GUI of IIS Management Console?
ASKER
I used the Get-Exchange certificate command and the godaddy cert still existed. I ran the enable command on it and all appears to be working fine now.
I am sorry for the delay as I got an urgent call
Did you enable SMTP on Godaddy certificate?
If SMTP is also enabled and working fine, it is done. No need to think further
Did you enable SMTP on Godaddy certificate?
If SMTP is also enabled and working fine, it is done. No need to think further
ASKER
I just used
Enable-ExchangeCertificate -Thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxx xxx" -se rvices IIS
Does this enable smtp?
Enable-ExchangeCertificate
Does this enable smtp?
yes
Send me a screenshot of output of this command
get-exchangecertificate
get-exchangecertificate
ASKER
Sorry for the delay, here you go
[PS] C:\Windows\system32>get-ex changecert ificate
Thumbprint Services Subject
---------- -------- -------
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxx IP..S CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxx ...WS CN=mail.flow-rite.com, OU=Domain Control Validated, O...
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxx IP..S CN=EXCH01
xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxx xxxxxx IP..S CN=EXCH01
[PS] C:\Windows\system32>get-ex
Thumbprint Services Subject
---------- -------- -------
xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Run this command and check what are the certificates you have it installed and what services configured for that.
Get-Exchangecertificate