Solved

Expired Exchange Certificate

Posted on 2012-04-10
16
880 Views
Last Modified: 2012-06-21
I have a GoDaddy SSL certificate installed on my 2007 Exchange server.  It has the external and internal domain names, and the autodiscover for both.  Today the internal clients started popping up a message that the certificate was expired, and offering a login for the Exchange server.  Externally, phones are syncing using SSL, and if I go to Outlook Web Access I can see that the certificate for it is valid.  Outlook Web Access with https is even working internally.  In the server's event log there is a message that a certificate is expiring or expired, and gives the thumbprint.  That thumbprint corresponds to the GoDaddy certificate that was valid from Sept. 2010 - Sept. 2011.  There is a new certificate which is identical which is valid from Sept. 2011 - Sept. 2012.  In Exchange, the newer certificate is applied to services POP, IMAP ,SMTP and Web.  The older one is applied to POP and IMAP (which aren't being used).  I am totally confused as to why this certificate, which expired months ago, is suddenly causing these problems, and apparently only for the internal autodiscover portion of the certificate.  And how do I fix it?  Is it as simple as removing that certificate?  I don't think so because for whatever reason the system thinks it needs this certificate for internal autodiscover.  Please help!!!
0
Comment
Question by:landiiiks2
  • 9
  • 6
16 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830859
Are there any entries in Event Viewer related to the expired certificate?

Go ahead and remove the expired certificate.  No reason to keep it.  Then register the valid certificate again.
0
 

Author Comment

by:landiiiks2
ID: 37830909
Yes - there is a CertificateServicesClient - AutoEnrollment e\Event 64 - certificate is about to or has already expired.  A few of them over the past several days.  They list the thumbprint of the old GoDaddy certificate.  I'll remove the old certificate and re-register the valid one - hopefully that will work.  I'm still mystified as to why this happened...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830960
Should the certificate be registered for IIS as well as the other services?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:landiiiks2
ID: 37830964
It is - I said "web" but I meant IIS.  I have now removed the expired certificate from Exchange, and re-enabled the valid certificate.  But I don't think it's fixed.  When I try to go to https: / / autodiscover.domain.local / AutoDiscover / AutoDiscover.xml , I get a login box but putting in the credentials doesn't take me anywhere.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37830989
Did you install any MS updates shortly before the problem started?

Also, check out this site to see if it has information relevant to your particular problem.
http://msexchangeguru.com/2010/10/05/autodiscover/
0
 

Author Comment

by:landiiiks2
ID: 37831003
Good thought, but I checked and there is nothing in the event log about updates being installed overnight last night.  I just don't get this - it's been working perfectly for two years.  If I go to https://servername/autodiscover/autodiscover.xml it works fine, but if I go to https://domain.local/autodiscover/autodiscover.xml it prompts for authentication and then goes to 401.1 error.  But OWA works fine internally and externally, and phones are syncing.  I have to have this fixed by morning...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37831015
Have you confirmed name resolution is working correctly?
0
 

Author Comment

by:landiiiks2
ID: 37831018
Yes, internally I can do an nslookup for autodiscover.domain.local and also autodiscover.domain.net and they both resolve correctly to the server IP.
0
 
LVL 6

Accepted Solution

by:
awaggoner earned 500 total points
ID: 37831020
0
 

Author Comment

by:landiiiks2
ID: 37831064
I think that fixed it, although I won't be sure until I can test from a computer through Outlook tomorrow.  After the reboot the SBS Web Applications wouldn't start, because Default Web Site was also using 443.  I specified the IP address in Default Web Site and they both started (not sure why that suddenly cropped up either...).  But now if I go to https://autodiscover.domain.local/autodiscover/autodiscover.xml it did prompt once for credentials, but when I put them in, it took me to the site.  I'll find out in the morning for sure.  I really, really appreciate your help and sticking with it.  And if you can explain to me WHY this happened I will award you 5,000 points!!!  Because that is still a total mystery to me...
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37831073
It's Microsoft.  That is all the explanation required.  :)

Good luck tomorrow.  

I'm glad you won't have to pull an all nighter trying to fix it.  I've had to do that a few times.
0
 

Author Comment

by:landiiiks2
ID: 37831078
But wait - now OWA is broken - 404 - file or directory not found.  Internally and externally.  WTH?
0
 

Author Comment

by:landiiiks2
ID: 37831087
Apparently still a conflict between Default Web Site and SBS Web Applications.  As long as I stop Default Web Site the other things work.  I'm just going to leave it stopped for tonight - I don't need any of those websites tomorrow...
0
 

Author Comment

by:landiiiks2
ID: 37831092
Now when I try to send an email from outside the domain I'm getting Unable to Relay.  This might be an all nighter after all.   How could that have been caused by what I've done??
0
 
LVL 9

Expert Comment

by:ash007
ID: 37831479
Can you check and let me know if nay changes made on receive connector
0
 

Author Comment

by:landiiiks2
ID: 37849800
This is fixed - the email bouncing back was a separate (although related) issue and it is now fixed too.  Thank you so much to awaggoner for sticking with this and helping me out.  Apparently most or all issues were caused by a tech for a software manufacturer who had access to the server to set up a new software program for this company.  He started messing with Exchange settings (unbeknownst to me) even though he had no clue what he was doing.  Word to the wise - never trust anyone else in your server!!!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2010 mailbox move 7 47
Migration from Lotus Note to Exchange 4 24
Fraud Email 22 71
Mail not being received 19 21
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question