?
Solved

SBS 2011 SSL problems

Posted on 2013-01-10
17
Medium Priority
?
1,111 Views
Last Modified: 2013-01-10
About 1 month ago our SSL Certificate expired.  It was purchased by our local IT Vendor from Godaddy.com.  Since it was not purchased in our account, I had to get new ones from them and install.  It was a bit of a pain, but I was able to get this to work.  I was able to confirm this by checking the ssl certificate with a web tool (sslshopper) and also got errors to go away on phones and remote web access users.

Fast forward to yesterday.....Our server hung and needed to be rebooted, after the restart we began to have problems with Active Sync of Android phones (Iphones still work), the remote web access also failed to work.  I logged into the server and found that the "Active Directory Certificate Services" which is set to auto, was not started.  When I attempt to start it I get an error.  

Here is a couple of the red circle errors from the event Viewer

1.Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

2.Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from SACSVDC01.CMS.local\CMS-SACSVDC01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

3.Microsoft Exchange could not find a certificate that contains the domain name SACSVDC01.CMS.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Windows SBS Internet Connector with a FQDN parameter of SACSVDC01.CMS.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I think that all of these are related, but if additional info is needed let me know.
0
Comment
Question by:calmoving
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38764296
Did you use the Third Party Trusted Certificates wizard to do the CSR and import?

Were the Intermediates properly installed before?

Philip
0
 

Author Comment

by:calmoving
ID: 38764420
Yes I requested the certificate from the server and added the sub domains (mail., remote.) and received them back from Go Daddy.... after installation this has worked for over a month, now all of a sudden there is an issue.  One thing that I am suspect of is the new SSL does not have any .local attached to it.... I have no idea if that has anything to do with it.
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38764448
We are talking about Small Business Server 2011 Standard?

Philip
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 

Author Comment

by:calmoving
ID: 38764464
Yes I believe it is standard.
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38764485
Okay.

Then only one URL can be used to access all of the resources hosted on SBS STD.

https://remote.domain.com is the one the Internet Address wizard picks.

Autodiscover on the Internet can be set up using the same URL for remote devices/Outlook Anywhere.

Have the Connect to the Internet and the Internet Address wizards been run?

Philip
0
 

Author Comment

by:calmoving
ID: 38764499
I am attempting to run them now (I did not deploy this server, and did not re-run after the ssl was installed)  I will post anything that I find after it is complete.
0
 

Author Comment

by:calmoving
ID: 38764524
That completed succesfully.  I attempted to start Active Directory Certificate Services again and got a error message in the logs

1. Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  CMS-SACSVDC01-CA Keyset does not exist 0x80090016 (-2146893802).

2.Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

3.Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from SACSVDC01.CMS.local\CMS-SACSVDC01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38764547
Why are you starting the CA?

That has nothing to do with the SSL certificate that gets installed via the TPTC wizaard mentioned above.

If the wizards replaced the GoDaddy SSL on RWA/OAS/OWA/ETC then run the Third Party Trusted Certificate wizard and choose the "Already installed on this server" option. Choose the GD one.

Philip
0
 

Author Comment

by:calmoving
ID: 38764614
I used the trustedcert.exe to install the SSL Originally.  Now when I try to open the program I get an error.
1.Application: TrustedCert.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: Microsoft.WindowsServerSolutions.CoreNetworking.CNetException
Stack:
   at Microsoft.WindowsServerSolutions.CoreNetworking.CNetCert.GetCARootCert()
   at Microsoft.WindowsServerSolutions.CoreNetworking.CNetCert.IsCertTrusted(System.Security.Cryptography.X509Certificates.X509Certificate2)
   at Microsoft.WindowsServerSolutions.Networking.Wizards.TCIWizard.Program.CreatePropertyBag()
   at Microsoft.WindowsServerSolutions.Networking.Wizards.TCIWizard.Program.Main()

2.Faulting application name: TrustedCert.exe, version: 6.1.7900.0, time stamp: 0x4cd854c2
Faulting module name: KERNELBASE.dll, version: 6.1.7600.16850, time stamp: 0x4e211da1
Exception code: 0xe0434352
Fault offset: 0x000000000000a88d
Faulting process id: 0x299c
Faulting application start time: 0x01cdef713b765511
Faulting application path: C:\Program Files\Windows Small Business Server\Bin\TrustedCert.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 85607d37-5b64-11e2-ab03-782bcb5f44ac
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38764635
Are you starting the Wizard from within the SBS Console?

Philip
0
 

Author Comment

by:calmoving
ID: 38764641
If I attempt to open the MMC and load the Certification Authority, I get an error that certificate information can not be from a stopped service, please start the active directory certificate service.
0
 

Author Comment

by:calmoving
ID: 38764650
Yes I normally attempt to open it from within the console, I have also attempted from the MMC.
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38764664
Click Start --> SBS Native Tools --> [Enter] --> UAC --> Continue.

Click on the Certificates node.
Click on Personal.
Click on Certificates folder.

You will see the relevant certificates there.

Again, the CA has _nothing_ to do with what is needed.

Philip
0
 

Author Comment

by:calmoving
ID: 38764701
Ok I have 4 certificates in there.
3 are self signed, 2 of which have key icons on them
1 is a GD, also with a key icon.
0
 
LVL 39

Accepted Solution

by:
Philip Elder earned 1500 total points
ID: 38764719
I am not sure what has happened there as the Trusted Certificate wizard should just work. The local CA is _only_ set up by the SBS Suite itself to work within the wizard structure.

Start again:
Connect to the Internet Wizard
Internet Address Wizard
then:
Fix My Network Wizard.

Finally:
Third Party (SSL).

Philip
0
 

Author Comment

by:calmoving
ID: 38765261
Ok I figured it out... it was the binding of the SSL....now to figure out what is going on with the other errors I am getting, thank you for your help
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38765275
You are welcome. :)

Philip
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question