cmara1234
asked on
Exchange 2007 Certificates issue
Our SSL certificate expired from GoDaddy yesterday evening (poor planning on my part). I quickly renewed the certificate this morning; but after completing the CSR and importing it into Exchange, I have lost external connectivity (RPC / HTTPS and OWA). Also, I have mail piling up in both my internal queue (Hub / MBox server) and external queue (CAS server).
The only possibility I can see is that I didn't allow for the autodiscover SAN on the certificate; and I have added it with GoDaddy, just waiting for it to be confirmed.
Am I missing something? Even without the autodiscover name, should mail at the external not be able to talk with the internal and vice-versa?
Thanks,
Chris
The only possibility I can see is that I didn't allow for the autodiscover SAN on the certificate; and I have added it with GoDaddy, just waiting for it to be confirmed.
Am I missing something? Even without the autodiscover name, should mail at the external not be able to talk with the internal and vice-versa?
Thanks,
Chris
I've had this happen to me before. I can't remember 100% what I did but I believe I just reverted back by using the Backup/Restore Configuration tool (right-click on your server in IIS -> All Tasks). Just revert back to when it was working (you can do a manual save first if you like).
yeah you should have problems like that with the queus.
Do you have the SMTP service attached to the certificate - you could always remove that
check to see if you have external problems using telent to check responses from the SMTP port
do the mil itmes have error codes or are they just sat there
Do you have the SMTP service attached to the certificate - you could always remove that
check to see if you have external problems using telent to check responses from the SMTP port
do the mil itmes have error codes or are they just sat there
ASKER
I was able to revert back to the previous IIS config, which cleared the queues; but also puts back into place the old SSL cert. I have re-created the SSL cert (from GoDaddy) and included the appropriate SANs, but I am still having issues.
I can import the new certificate, and everything stops there. If I re-enable the old cert (both in Exch Shell and IIS) then everything comes back instantly. This leaves me to beleive that I am missing something with the cert.
???
I can import the new certificate, and everything stops there. If I re-enable the old cert (both in Exch Shell and IIS) then everything comes back instantly. This leaves me to beleive that I am missing something with the cert.
???
Yes, I forgot to mention that after restore using the iis config tool you need to import. That's how I got my godaddy renew cert. working with OWA.
What do you mean everything stops there? Do you get an error? Is the certificate wrong? Or do you just mean OWA breaks after you import your cert?
What do you mean everything stops there? Do you get an error? Is the certificate wrong? Or do you just mean OWA breaks after you import your cert?
ASKER
OWA stops, Outlook anywhere stops, queues start building up.
I just had a long conversation with GoDaddy, and they agree that I am following the correct steps to create and import / enable the new cert. We just revoked the cert and recreated a new one; but I am getting the same results.
Here is part of the results from www.testexchangeconnectivity.com:
Attempting to test potential Autodiscover URL https://autodiscover.tgo.ca/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.tgo.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 66.212.177.226
Testing TCP port 443 on host autodiscover.tgo.ca to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.tgo.ca on port 443.
ExRCA wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
I just had a long conversation with GoDaddy, and they agree that I am following the correct steps to create and import / enable the new cert. We just revoked the cert and recreated a new one; but I am getting the same results.
Here is part of the results from www.testexchangeconnectivity.com:
Attempting to test potential Autodiscover URL https://autodiscover.tgo.ca/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.tgo.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 66.212.177.226
Testing TCP port 443 on host autodiscover.tgo.ca to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.tgo.ca on port 443.
ExRCA wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Did you do any dns changes just prior to or after the cert. renewal? I'd double check if they're correct and wait up to 72 hrs for the changes to propagate.
Did you get those results using the Remote Connectivity Analyzer Tool? Looks like it.
Did you get those results using the Remote Connectivity Analyzer Tool? Looks like it.
what key size did you use to generate the certificate.
you can do a check to make sure that the server is able to respond on SSL v2 and above
http://www.digicert.com/help/
Did you reboot the server after putting the new cert on - or just do an iis reset
you can do a check to make sure that the server is able to respond on SSL v2 and above
http://www.digicert.com/help/
Did you reboot the server after putting the new cert on - or just do an iis reset
ASKER
We have not done any DNS changes, and the cert is generated at KeySize 2048. I have been trying to work with MS Support, and they too are stumped. Definitely a cert issue, as everything dies with the new certificate, but works with the old one. we have re-created and re-keyed the cert multiple times to no avail. I will keep posting any solutions from MS on this one...
ASKER
While I am still working with MS's support, with no sign of success; here are a couple of updates that I would appreciate some assistance with...
When I upload a new certification, the biggest issue I notice is that the synchronization with the Edge server stops. When I run a test-edgesynchronization from the internal server, everything displays as a success except for the Transport Server Status is appearing as Not Synchronized. If I re-enable the expired certificate, everything shows as Synchronized.
Any help would be greatly appreciated.
When I upload a new certification, the biggest issue I notice is that the synchronization with the Edge server stops. When I run a test-edgesynchronization from the internal server, everything displays as a success except for the Transport Server Status is appearing as Not Synchronized. If I re-enable the expired certificate, everything shows as Synchronized.
Any help would be greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
problem resolved with Microsoft's assistance.