Solved

Expired Exchange Certificate

Posted on 2012-04-10
16
879 Views
Last Modified: 2012-06-21
I have a GoDaddy SSL certificate installed on my 2007 Exchange server.  It has the external and internal domain names, and the autodiscover for both.  Today the internal clients started popping up a message that the certificate was expired, and offering a login for the Exchange server.  Externally, phones are syncing using SSL, and if I go to Outlook Web Access I can see that the certificate for it is valid.  Outlook Web Access with https is even working internally.  In the server's event log there is a message that a certificate is expiring or expired, and gives the thumbprint.  That thumbprint corresponds to the GoDaddy certificate that was valid from Sept. 2010 - Sept. 2011.  There is a new certificate which is identical which is valid from Sept. 2011 - Sept. 2012.  In Exchange, the newer certificate is applied to services POP, IMAP ,SMTP and Web.  The older one is applied to POP and IMAP (which aren't being used).  I am totally confused as to why this certificate, which expired months ago, is suddenly causing these problems, and apparently only for the internal autodiscover portion of the certificate.  And how do I fix it?  Is it as simple as removing that certificate?  I don't think so because for whatever reason the system thinks it needs this certificate for internal autodiscover.  Please help!!!
0
Comment
Question by:landiiiks2
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830859
Are there any entries in Event Viewer related to the expired certificate?

Go ahead and remove the expired certificate.  No reason to keep it.  Then register the valid certificate again.
0
 

Author Comment

by:landiiiks2
ID: 37830909
Yes - there is a CertificateServicesClient - AutoEnrollment e\Event 64 - certificate is about to or has already expired.  A few of them over the past several days.  They list the thumbprint of the old GoDaddy certificate.  I'll remove the old certificate and re-register the valid one - hopefully that will work.  I'm still mystified as to why this happened...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830960
Should the certificate be registered for IIS as well as the other services?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:landiiiks2
ID: 37830964
It is - I said "web" but I meant IIS.  I have now removed the expired certificate from Exchange, and re-enabled the valid certificate.  But I don't think it's fixed.  When I try to go to https: / / autodiscover.domain.local / AutoDiscover / AutoDiscover.xml , I get a login box but putting in the credentials doesn't take me anywhere.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830989
Did you install any MS updates shortly before the problem started?

Also, check out this site to see if it has information relevant to your particular problem.
http://msexchangeguru.com/2010/10/05/autodiscover/
0
 

Author Comment

by:landiiiks2
ID: 37831003
Good thought, but I checked and there is nothing in the event log about updates being installed overnight last night.  I just don't get this - it's been working perfectly for two years.  If I go to https://servername/autodiscover/autodiscover.xml it works fine, but if I go to https://domain.local/autodiscover/autodiscover.xml it prompts for authentication and then goes to 401.1 error.  But OWA works fine internally and externally, and phones are syncing.  I have to have this fixed by morning...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37831015
Have you confirmed name resolution is working correctly?
0
 

Author Comment

by:landiiiks2
ID: 37831018
Yes, internally I can do an nslookup for autodiscover.domain.local and also autodiscover.domain.net and they both resolve correctly to the server IP.
0
 
LVL 6

Accepted Solution

by:
awaggoner earned 500 total points
ID: 37831020
0
 

Author Comment

by:landiiiks2
ID: 37831064
I think that fixed it, although I won't be sure until I can test from a computer through Outlook tomorrow.  After the reboot the SBS Web Applications wouldn't start, because Default Web Site was also using 443.  I specified the IP address in Default Web Site and they both started (not sure why that suddenly cropped up either...).  But now if I go to https://autodiscover.domain.local/autodiscover/autodiscover.xml it did prompt once for credentials, but when I put them in, it took me to the site.  I'll find out in the morning for sure.  I really, really appreciate your help and sticking with it.  And if you can explain to me WHY this happened I will award you 5,000 points!!!  Because that is still a total mystery to me...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37831073
It's Microsoft.  That is all the explanation required.  :)

Good luck tomorrow.  

I'm glad you won't have to pull an all nighter trying to fix it.  I've had to do that a few times.
0
 

Author Comment

by:landiiiks2
ID: 37831078
But wait - now OWA is broken - 404 - file or directory not found.  Internally and externally.  WTH?
0
 

Author Comment

by:landiiiks2
ID: 37831087
Apparently still a conflict between Default Web Site and SBS Web Applications.  As long as I stop Default Web Site the other things work.  I'm just going to leave it stopped for tonight - I don't need any of those websites tomorrow...
0
 

Author Comment

by:landiiiks2
ID: 37831092
Now when I try to send an email from outside the domain I'm getting Unable to Relay.  This might be an all nighter after all.   How could that have been caused by what I've done??
0
 
LVL 9

Expert Comment

by:ash007
ID: 37831479
Can you check and let me know if nay changes made on receive connector
0
 

Author Comment

by:landiiiks2
ID: 37849800
This is fixed - the email bouncing back was a separate (although related) issue and it is now fixed too.  Thank you so much to awaggoner for sticking with this and helping me out.  Apparently most or all issues were caused by a tech for a software manufacturer who had access to the server to set up a new software program for this company.  He started messing with Exchange settings (unbeknownst to me) even though he had no clue what he was doing.  Word to the wise - never trust anyone else in your server!!!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question