Avatar of hdts
hdts
Flag for United States of America asked on

Issues regarding SSL certificate and connection

I recently purchased and installed a godaddy ucc ssl certificate.

I believe that everything was working fine after I installed it but I had to go around and mess with things and I can't get it to work again.

I changed the option under ssl settings (exchange console) and said for it to require a client certificate as well as changing the settings in exchange console for the OWA/ActiveSync/etc - they had been remote.domain.com and i changed them to mail.domain.com (because that is how we have been accessing the OWA page - i.e. mail.domain.com/owa) - however everything WAS working before the SSL was intalled and I believe even after it was installed. It now gives a 404 - File Or directory not found.

I believe I have changed all the settings back to the former (except fot the remote --> mail address in exchange console).

Can you give me an idea of what i screwed up? I have changed the SSL setting back to the way they were but still no go on accessing the OWA page (Or remote for that matter).
SBSInternet Protocols

Avatar of undefined
Last Comment
Exchange_Geek

8/22/2022 - Mon
Exchange_Geek

Is owa working internally fine and externally messed up Or is it both sides?

Take a look at the issue that another SBS guy faced where I was working with him, issue ended up being at the router - however, do read about settings.

https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_28088401.html#a39055556

Regards,
Exchange_Geek
hdts

ASKER
It's messed up both internally and externally. Didn't change anything on the router (didn't even log into it during this process).

Ill take a look at your link, thanks!
Exchange_Geek

is mail.domain.com pingable? How about you open webpage on CAS Server? does it open / error out?

Have you tried running

Test-WebServicesConnectivity -verbose -debug cmdlet?

Regards,
Exchange_Geek
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
hdts

ASKER
It is not pingable - times out.

Running the Test-Web command only gives me an error because it is trying to log on using a weird username (CAS_af7ws8wf7e <---something like that). It fails to run the test trying to use that username...
Exchange_Geek

Pinging your URL times out - what's it pointing to? using nslookup understand that.

Regards,
Exchange_Geek
hdts

ASKER
the url is pointing to the external IP of our server (onsite).
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Exchange_Geek

what does exrca.com state about your URL?

Now, you've changed the URL internally too, so isn't there any referance to this record pointing to your CAS Server internally?

Regards,
Exchange_Geek
hdts

ASKER
Okay I believe I have changed everything back to how it was before I messed it all up. I am rebooting and will run exrca.com in a minute and report back.
Exchange_Geek

Perfect :)

Regards,
Exchange_Geek
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
hdts

ASKER
OUTLOOK ANYWHERE TEST

IF YOU NEED A DIFFERENT EXRCA TEST LET ME KNOW



      Connectivity Test Failed
 
Test Details
      Testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      ExRCA is attempting to test Autodiscover for USERNAME@DOMAIN.com.
       Testing Autodiscover failed.
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://DOMAIN.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name DOMAIN.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: XX.XXX.XXX.XX <------THIS ADDRESS IS OUR WWW NOT OUR MAIL.DOMAIN/REMOTE.DOMAIN/ETC
      Testing TCP port 443 on host DOMAIN.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server DOMAIN.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB. <------THIS HOSTMONSTER IS THE HOSTING COMPANY FOR OUR WWW SITE
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name DOMAIN.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
      Attempting to test potential Autodiscover URL https://autodiscover.DOMAIN.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.DOMAIN.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: XX.XXX.XXX.XXX <-------OUR WWW ADDRESS
      Testing TCP port 443 on host autodiscover.DOMAIN.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.DOMAIN.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name autodiscover.DOMAIN.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
      Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.DOMAIN.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: XX.XXX.XXX.XXX <-----OUR WWW ADDRESS
      Testing TCP port 80 on host autodiscover.DOMAIN.com to ensure it's listening and open.
       The port was opened successfully.
      ExRCA is checking the host autodiscover.DOMAIN.com for an HTTP redirect to the Autodiscover service.
       ExRCA failed to get an HTTP redirect response for Autodiscover.
       
      Additional Details
       A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
      Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.DOMAIN.com in DNS.
       The Autodiscover SRV record wasn't found in DNS.
        Tell me more about this issue and how to resolve it


© 2013 Microsoft | Version 2.1 | Feedback | Privacy | Terms of Use
Exchange_Geek

What all names are part of Subject Alternate Name in your SAN-Cert?

Please list them along with your internal and external URL.

Regards,
Exchange_Geek
hdts

ASKER
SAN cert should have the mail as the cn and remote & autodiscover as the SANs

how do I know the internal domain? the external is bluestarbussales.com - however we do have the local as bluestarbus.biz
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Exchange_Geek

Issues with your setup


Mess#1 autodiscover isn't part of the certificate being presented on internet.

Host name autodiscover.yourdomain.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.

Mess#2 autodiscover.yourdomain.com in DNS points to your vendor that doesn't have autodiscover in its certificate.
Attempting to resolve the host name autodiscover.yourdomain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 74.xxx.xxx.230

Contact your vendor and question them.

Ideally, your autodiscover.domain.com should be pointing to your firewall and not your vendor. This isn't a www website - this is OL, this is Exchange that needs to respond to such queries.

Regards,
Exchange_Geek
hdts

ASKER
What about mail.domain.com?

In the past we never used autodiscover or remote, only mail.domain.com

Shouldn't mail.domain.com be working correctly?
hdts

ASKER
we have successfully used mail.domain.com for years without issues...I would like to get autodiscover looking to the correct IP but I am still stumped as to why mail.domain.com has stopped working and only gives a 404 message now
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
Exchange_Geek

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
hdts

ASKER
followed that and now when trying to access mail.domain.com I get a request to present a certificate - I do not have one on the client side (as far as I know)...

I'm rebooting right now to see if that makes a difference.
hdts

ASKER
Amazing! It is back up @ mail.domain.com!

Once autodiscover has updated to the new IP then I should be all set to go?

Is there anything else that I need to do on the server side?
hdts

ASKER
hey sorry one more thing I noticed.

remote.domain.com is pinging to the correct IP but it is also error 404 - do I need to reset IIS for this too?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Exchange_Geek

404 error points to default web site - check the link i gave.

Regards,
Exchange_Geek
hdts

ASKER
So sorry - I wasn't paying attention

the https://remote.domain.com give me a 403 message (not 404)

Again - our webmail (mail.domain.com) is now working perfectly!
Exchange_Geek

webmail works good - that's great news - what about ExRCA - does it still give the 404 errors?

Regards,
Exchange_Geek
Your help has saved me hundreds of hours of internet surfing.
fblack61
hdts

ASKER
Here is the latst test - looks like it thinks autodiscover is still pointing to the wrong address but when I ping it it is pinging th right IP...





      Connectivity Test Failed
 
Test Details
      Testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      ExRCA is attempting to test Autodiscover for nicholas@bluestarbussales.com.
       Testing Autodiscover failed.
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://bluestarbussales.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name bluestarbussales.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 74.220.215.230
      Testing TCP port 443 on host bluestarbussales.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server bluestarbussales.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Host name bluestarbussales.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
      Attempting to test potential Autodiscover URL https://autodiscover.bluestarbussales.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.bluestarbussales.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 65.182.71.39
      Testing TCP port 443 on host autodiscover.bluestarbussales.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.bluestarbussales.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: CN=mail.bluestarbussales.com, OU=Domain Control Validated, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name autodiscover.bluestarbussales.com was found in the Certificate Subject Alternative Name entry.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
       
      Test Steps
       
      ExRCA is attempting to build certificate chains for certificate CN=mail.bluestarbussales.com, OU=Domain Control Validated.
       One or more certificate chains were constructed successfully.
       
      Additional Details
       A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
       
      Additional Details
       ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       The certificate is valid. NotBefore = 4/5/2013 10:06:26 AM, NotAfter = 4/5/2016 10:06:26 AM
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       Accept/Require Client Certificates isn't configured.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
       
      Test Steps
       
      ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.bluestarbussales.com/AutoDiscover/AutoDiscover.xml for user nicholas@bluestarbussales.com.
       ExRCA failed to obtain an Autodiscover XML response.
       
      Additional Details
       An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).


© 2013 Microsoft | Version 2.1 | Feedback | Privacy | Terms of Use
Exchange_Geek

All looks good with ExRCA, what makes you think it's wrong.

Attempting to resolve the host name autodiscover.bluestarbussales.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: 65.182.71.39

Regards,
Exchange_Geek
hdts

ASKER
Your right I believe everything is fine now
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Exchange_Geek

That was where i was concerned, all looked good to me. Glad to hear the magic words :)

Regards,
Exchange_Geek