[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1121
  • Last Modified:

SBS 2011 SSL problems

About 1 month ago our SSL Certificate expired.  It was purchased by our local IT Vendor from Godaddy.com.  Since it was not purchased in our account, I had to get new ones from them and install.  It was a bit of a pain, but I was able to get this to work.  I was able to confirm this by checking the ssl certificate with a web tool (sslshopper) and also got errors to go away on phones and remote web access users.

Fast forward to yesterday.....Our server hung and needed to be rebooted, after the restart we began to have problems with Active Sync of Android phones (Iphones still work), the remote web access also failed to work.  I logged into the server and found that the "Active Directory Certificate Services" which is set to auto, was not started.  When I attempt to start it I get an error.  

Here is a couple of the red circle errors from the event Viewer

1.Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

2.Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from SACSVDC01.CMS.local\CMS-SACSVDC01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

3.Microsoft Exchange could not find a certificate that contains the domain name SACSVDC01.CMS.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Windows SBS Internet Connector with a FQDN parameter of SACSVDC01.CMS.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I think that all of these are related, but if additional info is needed let me know.
0
calmoving
Asked:
calmoving
  • 9
  • 8
1 Solution
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Did you use the Third Party Trusted Certificates wizard to do the CSR and import?

Were the Intermediates properly installed before?

Philip
0
 
calmovingAuthor Commented:
Yes I requested the certificate from the server and added the sub domains (mail., remote.) and received them back from Go Daddy.... after installation this has worked for over a month, now all of a sudden there is an issue.  One thing that I am suspect of is the new SSL does not have any .local attached to it.... I have no idea if that has anything to do with it.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
We are talking about Small Business Server 2011 Standard?

Philip
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
calmovingAuthor Commented:
Yes I believe it is standard.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Okay.

Then only one URL can be used to access all of the resources hosted on SBS STD.

https://remote.domain.com is the one the Internet Address wizard picks.

Autodiscover on the Internet can be set up using the same URL for remote devices/Outlook Anywhere.

Have the Connect to the Internet and the Internet Address wizards been run?

Philip
0
 
calmovingAuthor Commented:
I am attempting to run them now (I did not deploy this server, and did not re-run after the ssl was installed)  I will post anything that I find after it is complete.
0
 
calmovingAuthor Commented:
That completed succesfully.  I attempted to start Active Directory Certificate Services again and got a error message in the logs

1. Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  CMS-SACSVDC01-CA Keyset does not exist 0x80090016 (-2146893802).

2.Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

3.Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from SACSVDC01.CMS.local\CMS-SACSVDC01-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Why are you starting the CA?

That has nothing to do with the SSL certificate that gets installed via the TPTC wizaard mentioned above.

If the wizards replaced the GoDaddy SSL on RWA/OAS/OWA/ETC then run the Third Party Trusted Certificate wizard and choose the "Already installed on this server" option. Choose the GD one.

Philip
0
 
calmovingAuthor Commented:
I used the trustedcert.exe to install the SSL Originally.  Now when I try to open the program I get an error.
1.Application: TrustedCert.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: Microsoft.WindowsServerSolutions.CoreNetworking.CNetException
Stack:
   at Microsoft.WindowsServerSolutions.CoreNetworking.CNetCert.GetCARootCert()
   at Microsoft.WindowsServerSolutions.CoreNetworking.CNetCert.IsCertTrusted(System.Security.Cryptography.X509Certificates.X509Certificate2)
   at Microsoft.WindowsServerSolutions.Networking.Wizards.TCIWizard.Program.CreatePropertyBag()
   at Microsoft.WindowsServerSolutions.Networking.Wizards.TCIWizard.Program.Main()

2.Faulting application name: TrustedCert.exe, version: 6.1.7900.0, time stamp: 0x4cd854c2
Faulting module name: KERNELBASE.dll, version: 6.1.7600.16850, time stamp: 0x4e211da1
Exception code: 0xe0434352
Fault offset: 0x000000000000a88d
Faulting process id: 0x299c
Faulting application start time: 0x01cdef713b765511
Faulting application path: C:\Program Files\Windows Small Business Server\Bin\TrustedCert.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 85607d37-5b64-11e2-ab03-782bcb5f44ac
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Are you starting the Wizard from within the SBS Console?

Philip
0
 
calmovingAuthor Commented:
If I attempt to open the MMC and load the Certification Authority, I get an error that certificate information can not be from a stopped service, please start the active directory certificate service.
0
 
calmovingAuthor Commented:
Yes I normally attempt to open it from within the console, I have also attempted from the MMC.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Click Start --> SBS Native Tools --> [Enter] --> UAC --> Continue.

Click on the Certificates node.
Click on Personal.
Click on Certificates folder.

You will see the relevant certificates there.

Again, the CA has _nothing_ to do with what is needed.

Philip
0
 
calmovingAuthor Commented:
Ok I have 4 certificates in there.
3 are self signed, 2 of which have key icons on them
1 is a GD, also with a key icon.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
I am not sure what has happened there as the Trusted Certificate wizard should just work. The local CA is _only_ set up by the SBS Suite itself to work within the wizard structure.

Start again:
Connect to the Internet Wizard
Internet Address Wizard
then:
Fix My Network Wizard.

Finally:
Third Party (SSL).

Philip
0
 
calmovingAuthor Commented:
Ok I figured it out... it was the binding of the SSL....now to figure out what is going on with the other errors I am getting, thank you for your help
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You are welcome. :)

Philip
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now