Avatar of ics45
ics45
 asked on

Small Business Servers and SMTP certificates

We are having a problem with a customers Small Business Server 2008 Standard FE SP1.
We use a Godaddy certificate for Exchange called remote.company.co.uk.

If I bring up a mmc and add certificates and check the personal store the remote.company.co.uk certificate is there and valid. There is also a server.company.local self certificate that is valid.

We are getting an error in the application log saying "Microsoft Exchange couldn't find a certificate that contains the domain name remote.company.co.uk in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Windows SBS Internet Receive SERVER with a FQDN parameter of remote.company.co.uk. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key."

When I run the "Enable-ExchangeCertificate -Services SMTP" command, I get an error saying "Warning this certificate will not be used for external TLS connections with an FQDN of "Server.company.local" because the CA-signed certificate with thumbprint 'big number' takes precedence. The following connectors match that FQDN: Default SERVER, SMTP in.

 We are also getting the following error,  which I assume is related :-
"There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of SERVER.company.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of SERVER.company.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task."

The server has worked OK from new until we renewed the GoDaddy certificate last year!!

Many thanks for reading this and many thanks in advance for your help!!
SBSExchangeOutlook

Avatar of undefined
Last Comment
Exchange_Geek

8/22/2022 - Mon
VidarAndersen

SBS servers are tricky that way.

Try starting Windows SBS Console and use the "add a trusted certificate" wizard. That did the trick for me last time i did it.
ics45

ASKER
Hi Vidar,

Many thanks for the reply.

I should have said, we have tried that already and it worked for a few hours then errored again.

I am not sure if we should have both the internal self generated certificate and the GoDaady certificates on the server?

Mike
Exchange_Geek

The error is bogus and wouldn't/shouldn't bother you unless you are thinking of working with SMTP-TLS feature.

Regards,
Exchange_Geek
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ics45

ASKER
Hi Exchange_Geek, many thanks for the reply. The only problem with this error is it does stop the exchange transport from working. INternal and external emails will stop and a server reboot is the only thing that seems to start it working again - but the errors will still be in the log. Everything was fine until the initial internal license expired?
Thanks,
Mike
ASKER CERTIFIED SOLUTION
Exchange_Geek

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question