?
Solved

Exchange 2007 Certificates issue

Posted on 2011-10-24
11
Medium Priority
?
361 Views
Last Modified: 2012-05-12
Our SSL certificate expired from GoDaddy yesterday evening (poor planning on my part).  I quickly renewed the certificate this morning; but after completing the CSR and importing it into Exchange, I have lost external connectivity (RPC / HTTPS and OWA).  Also, I have mail piling up in both my internal queue (Hub / MBox server) and external queue (CAS server).

The only possibility I can see is that I didn't allow for the autodiscover SAN on the certificate; and I have added it with GoDaddy, just waiting for it to be confirmed.

Am I missing something?  Even without the autodiscover name, should mail at the external not be able to talk with the internal and vice-versa?

Thanks,

Chris
0
Comment
Question by:cmara1234
  • 6
  • 3
  • 2
11 Comments
 
LVL 3

Expert Comment

by:Andrew_Cz
ID: 37019646
I've had this happen to me before.  I can't remember 100% what I did but I believe I just reverted back by using the Backup/Restore Configuration tool (right-click on your server in IIS -> All Tasks).  Just revert back to when it was working (you can do a manual save first if you like).

0
 
LVL 18

Expert Comment

by:Chris
ID: 37019785
yeah you should have problems like that with the queus.
Do you have the SMTP service attached to the certificate - you could always remove that

check to see if you have external problems using telent to check responses from the SMTP port
do the mil itmes have error codes or are they just sat there
0
 

Author Comment

by:cmara1234
ID: 37025254
I was able to revert back to the previous IIS config, which cleared the queues; but also puts back into place the old SSL cert.  I have re-created the SSL cert (from GoDaddy) and included the appropriate SANs, but I am still having issues.

I can import the new certificate, and everything stops there.  If I re-enable the old cert (both in Exch Shell and IIS) then everything comes back instantly.  This leaves me to beleive that I am missing something with the cert.

???
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Expert Comment

by:Andrew_Cz
ID: 37025450
Yes, I forgot to mention that after restore using the iis config tool you need to import.  That's how I got my godaddy renew cert. working with OWA.

What do you mean everything stops there? Do you get an error? Is the certificate wrong? Or do you just mean OWA breaks after you import your cert?
0
 

Author Comment

by:cmara1234
ID: 37025790
OWA stops, Outlook anywhere stops, queues start building up.

I just had a long conversation with GoDaddy, and they agree that I am following the correct steps to create and import / enable the new cert.  We just revoked the cert and recreated a new one; but I am getting the same results.

Here is part of the results from www.testexchangeconnectivity.com:

Attempting to test potential Autodiscover URL https://autodiscover.tgo.ca/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.tgo.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 66.212.177.226
Testing TCP port 443 on host autodiscover.tgo.ca to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.tgo.ca on port 443.
ExRCA wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
0
 
LVL 3

Expert Comment

by:Andrew_Cz
ID: 37025913
Did you do any dns changes just prior to or after the cert. renewal? I'd double check if they're correct and wait up to 72 hrs for the changes to propagate.

Did you get those results using the Remote Connectivity Analyzer Tool? Looks like it.
0
 
LVL 18

Expert Comment

by:Chris
ID: 37026564
what key size did you use to generate the certificate.
you can do a check to make sure that the server is able to respond on SSL v2 and above
http://www.digicert.com/help/

Did you reboot the server after putting the new cert on - or just do an iis reset
0
 

Author Comment

by:cmara1234
ID: 37065177
We have not done any DNS changes, and the cert is generated at KeySize 2048.  I have been trying to work with MS Support, and they too are stumped.  Definitely a cert issue, as everything dies with the new certificate, but works with the old one.  we have re-created and re-keyed the cert multiple times to no avail.  I will keep posting any solutions from MS on this one...
0
 

Author Comment

by:cmara1234
ID: 37132359
While I am still working with MS's support, with no sign of success; here are a couple of updates that I would appreciate some assistance with...

When I upload a new certification, the biggest issue I notice is that the synchronization with the Edge server stops.  When I run a test-edgesynchronization from the internal server, everything displays as a success except for the Transport Server Status is appearing as Not Synchronized.  If I re-enable the expired certificate, everything shows as Synchronized.

Any help would be greatly appreciated.
0
 

Accepted Solution

by:
cmara1234 earned 0 total points
ID: 37264331
IT turned out that (with Microsoft's help), I exported the key with Private Key, than re-imported that exact same key; and everything worked fine.

Somewhere along the lines, the private keys (or the store) became corrupt.
0
 

Author Closing Comment

by:cmara1234
ID: 37284045
problem resolved with Microsoft's assistance.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I came across an unsolved Outlook issue and here is my solution.
Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
how to add IIS SMTP to handle application/Scanner relays into office 365.
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month8 days, 19 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question