Solved

Expired Exchange Certificate

Posted on 2012-04-10
16
881 Views
Last Modified: 2012-06-21
I have a GoDaddy SSL certificate installed on my 2007 Exchange server.  It has the external and internal domain names, and the autodiscover for both.  Today the internal clients started popping up a message that the certificate was expired, and offering a login for the Exchange server.  Externally, phones are syncing using SSL, and if I go to Outlook Web Access I can see that the certificate for it is valid.  Outlook Web Access with https is even working internally.  In the server's event log there is a message that a certificate is expiring or expired, and gives the thumbprint.  That thumbprint corresponds to the GoDaddy certificate that was valid from Sept. 2010 - Sept. 2011.  There is a new certificate which is identical which is valid from Sept. 2011 - Sept. 2012.  In Exchange, the newer certificate is applied to services POP, IMAP ,SMTP and Web.  The older one is applied to POP and IMAP (which aren't being used).  I am totally confused as to why this certificate, which expired months ago, is suddenly causing these problems, and apparently only for the internal autodiscover portion of the certificate.  And how do I fix it?  Is it as simple as removing that certificate?  I don't think so because for whatever reason the system thinks it needs this certificate for internal autodiscover.  Please help!!!
0
Comment
Question by:landiiiks2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830859
Are there any entries in Event Viewer related to the expired certificate?

Go ahead and remove the expired certificate.  No reason to keep it.  Then register the valid certificate again.
0
 

Author Comment

by:landiiiks2
ID: 37830909
Yes - there is a CertificateServicesClient - AutoEnrollment e\Event 64 - certificate is about to or has already expired.  A few of them over the past several days.  They list the thumbprint of the old GoDaddy certificate.  I'll remove the old certificate and re-register the valid one - hopefully that will work.  I'm still mystified as to why this happened...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830960
Should the certificate be registered for IIS as well as the other services?
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:landiiiks2
ID: 37830964
It is - I said "web" but I meant IIS.  I have now removed the expired certificate from Exchange, and re-enabled the valid certificate.  But I don't think it's fixed.  When I try to go to https: / / autodiscover.domain.local / AutoDiscover / AutoDiscover.xml , I get a login box but putting in the credentials doesn't take me anywhere.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830989
Did you install any MS updates shortly before the problem started?

Also, check out this site to see if it has information relevant to your particular problem.
http://msexchangeguru.com/2010/10/05/autodiscover/
0
 

Author Comment

by:landiiiks2
ID: 37831003
Good thought, but I checked and there is nothing in the event log about updates being installed overnight last night.  I just don't get this - it's been working perfectly for two years.  If I go to https://servername/autodiscover/autodiscover.xml it works fine, but if I go to https://domain.local/autodiscover/autodiscover.xml it prompts for authentication and then goes to 401.1 error.  But OWA works fine internally and externally, and phones are syncing.  I have to have this fixed by morning...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37831015
Have you confirmed name resolution is working correctly?
0
 

Author Comment

by:landiiiks2
ID: 37831018
Yes, internally I can do an nslookup for autodiscover.domain.local and also autodiscover.domain.net and they both resolve correctly to the server IP.
0
 
LVL 6

Accepted Solution

by:
awaggoner earned 500 total points
ID: 37831020
0
 

Author Comment

by:landiiiks2
ID: 37831064
I think that fixed it, although I won't be sure until I can test from a computer through Outlook tomorrow.  After the reboot the SBS Web Applications wouldn't start, because Default Web Site was also using 443.  I specified the IP address in Default Web Site and they both started (not sure why that suddenly cropped up either...).  But now if I go to https://autodiscover.domain.local/autodiscover/autodiscover.xml it did prompt once for credentials, but when I put them in, it took me to the site.  I'll find out in the morning for sure.  I really, really appreciate your help and sticking with it.  And if you can explain to me WHY this happened I will award you 5,000 points!!!  Because that is still a total mystery to me...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37831073
It's Microsoft.  That is all the explanation required.  :)

Good luck tomorrow.  

I'm glad you won't have to pull an all nighter trying to fix it.  I've had to do that a few times.
0
 

Author Comment

by:landiiiks2
ID: 37831078
But wait - now OWA is broken - 404 - file or directory not found.  Internally and externally.  WTH?
0
 

Author Comment

by:landiiiks2
ID: 37831087
Apparently still a conflict between Default Web Site and SBS Web Applications.  As long as I stop Default Web Site the other things work.  I'm just going to leave it stopped for tonight - I don't need any of those websites tomorrow...
0
 

Author Comment

by:landiiiks2
ID: 37831092
Now when I try to send an email from outside the domain I'm getting Unable to Relay.  This might be an all nighter after all.   How could that have been caused by what I've done??
0
 
LVL 9

Expert Comment

by:ash007
ID: 37831479
Can you check and let me know if nay changes made on receive connector
0
 

Author Comment

by:landiiiks2
ID: 37849800
This is fixed - the email bouncing back was a separate (although related) issue and it is now fixed too.  Thank you so much to awaggoner for sticking with this and helping me out.  Apparently most or all issues were caused by a tech for a software manufacturer who had access to the server to set up a new software program for this company.  He started messing with Exchange settings (unbeknownst to me) even though he had no clue what he was doing.  Word to the wise - never trust anyone else in your server!!!
0

Featured Post

Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question