Solved

Expired Exchange Certificate

Posted on 2012-04-10
16
875 Views
Last Modified: 2012-06-21
I have a GoDaddy SSL certificate installed on my 2007 Exchange server.  It has the external and internal domain names, and the autodiscover for both.  Today the internal clients started popping up a message that the certificate was expired, and offering a login for the Exchange server.  Externally, phones are syncing using SSL, and if I go to Outlook Web Access I can see that the certificate for it is valid.  Outlook Web Access with https is even working internally.  In the server's event log there is a message that a certificate is expiring or expired, and gives the thumbprint.  That thumbprint corresponds to the GoDaddy certificate that was valid from Sept. 2010 - Sept. 2011.  There is a new certificate which is identical which is valid from Sept. 2011 - Sept. 2012.  In Exchange, the newer certificate is applied to services POP, IMAP ,SMTP and Web.  The older one is applied to POP and IMAP (which aren't being used).  I am totally confused as to why this certificate, which expired months ago, is suddenly causing these problems, and apparently only for the internal autodiscover portion of the certificate.  And how do I fix it?  Is it as simple as removing that certificate?  I don't think so because for whatever reason the system thinks it needs this certificate for internal autodiscover.  Please help!!!
0
Comment
Question by:landiiiks2
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830859
Are there any entries in Event Viewer related to the expired certificate?

Go ahead and remove the expired certificate.  No reason to keep it.  Then register the valid certificate again.
0
 

Author Comment

by:landiiiks2
ID: 37830909
Yes - there is a CertificateServicesClient - AutoEnrollment e\Event 64 - certificate is about to or has already expired.  A few of them over the past several days.  They list the thumbprint of the old GoDaddy certificate.  I'll remove the old certificate and re-register the valid one - hopefully that will work.  I'm still mystified as to why this happened...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830960
Should the certificate be registered for IIS as well as the other services?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:landiiiks2
ID: 37830964
It is - I said "web" but I meant IIS.  I have now removed the expired certificate from Exchange, and re-enabled the valid certificate.  But I don't think it's fixed.  When I try to go to https: / / autodiscover.domain.local / AutoDiscover / AutoDiscover.xml , I get a login box but putting in the credentials doesn't take me anywhere.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830989
Did you install any MS updates shortly before the problem started?

Also, check out this site to see if it has information relevant to your particular problem.
http://msexchangeguru.com/2010/10/05/autodiscover/
0
 

Author Comment

by:landiiiks2
ID: 37831003
Good thought, but I checked and there is nothing in the event log about updates being installed overnight last night.  I just don't get this - it's been working perfectly for two years.  If I go to https://servername/autodiscover/autodiscover.xml it works fine, but if I go to https://domain.local/autodiscover/autodiscover.xml it prompts for authentication and then goes to 401.1 error.  But OWA works fine internally and externally, and phones are syncing.  I have to have this fixed by morning...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37831015
Have you confirmed name resolution is working correctly?
0
 

Author Comment

by:landiiiks2
ID: 37831018
Yes, internally I can do an nslookup for autodiscover.domain.local and also autodiscover.domain.net and they both resolve correctly to the server IP.
0
 
LVL 6

Accepted Solution

by:
awaggoner earned 500 total points
ID: 37831020
0
 

Author Comment

by:landiiiks2
ID: 37831064
I think that fixed it, although I won't be sure until I can test from a computer through Outlook tomorrow.  After the reboot the SBS Web Applications wouldn't start, because Default Web Site was also using 443.  I specified the IP address in Default Web Site and they both started (not sure why that suddenly cropped up either...).  But now if I go to https://autodiscover.domain.local/autodiscover/autodiscover.xml it did prompt once for credentials, but when I put them in, it took me to the site.  I'll find out in the morning for sure.  I really, really appreciate your help and sticking with it.  And if you can explain to me WHY this happened I will award you 5,000 points!!!  Because that is still a total mystery to me...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37831073
It's Microsoft.  That is all the explanation required.  :)

Good luck tomorrow.  

I'm glad you won't have to pull an all nighter trying to fix it.  I've had to do that a few times.
0
 

Author Comment

by:landiiiks2
ID: 37831078
But wait - now OWA is broken - 404 - file or directory not found.  Internally and externally.  WTH?
0
 

Author Comment

by:landiiiks2
ID: 37831087
Apparently still a conflict between Default Web Site and SBS Web Applications.  As long as I stop Default Web Site the other things work.  I'm just going to leave it stopped for tonight - I don't need any of those websites tomorrow...
0
 

Author Comment

by:landiiiks2
ID: 37831092
Now when I try to send an email from outside the domain I'm getting Unable to Relay.  This might be an all nighter after all.   How could that have been caused by what I've done??
0
 
LVL 9

Expert Comment

by:ash007
ID: 37831479
Can you check and let me know if nay changes made on receive connector
0
 

Author Comment

by:landiiiks2
ID: 37849800
This is fixed - the email bouncing back was a separate (although related) issue and it is now fixed too.  Thank you so much to awaggoner for sticking with this and helping me out.  Apparently most or all issues were caused by a tech for a software manufacturer who had access to the server to set up a new software program for this company.  He started messing with Exchange settings (unbeknownst to me) even though he had no clue what he was doing.  Word to the wise - never trust anyone else in your server!!!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now