Issues regarding SSL certificate and connection
I recently purchased and installed a godaddy ucc ssl certificate.
I believe that everything was working fine after I installed it but I had to go around and mess with things and I can't get it to work again.
I changed the option under ssl settings (exchange console) and said for it to require a client certificate as well as changing the settings in exchange console for the OWA/ActiveSync/etc - they had been remote.domain.com and i changed them to mail.domain.com (because that is how we have been accessing the OWA page - i.e. mail.domain.com/owa) - however everything WAS working before the SSL was intalled and I believe even after it was installed. It now gives a 404 - File Or directory not found.
I believe I have changed all the settings back to the former (except fot the remote --> mail address in exchange console).
Can you give me an idea of what i screwed up? I have changed the SSL setting back to the way they were but still no go on accessing the OWA page (Or remote for that matter).
I believe that everything was working fine after I installed it but I had to go around and mess with things and I can't get it to work again.
I changed the option under ssl settings (exchange console) and said for it to require a client certificate as well as changing the settings in exchange console for the OWA/ActiveSync/etc - they had been remote.domain.com and i changed them to mail.domain.com (because that is how we have been accessing the OWA page - i.e. mail.domain.com/owa) - however everything WAS working before the SSL was intalled and I believe even after it was installed. It now gives a 404 - File Or directory not found.
I believe I have changed all the settings back to the former (except fot the remote --> mail address in exchange console).
Can you give me an idea of what i screwed up? I have changed the SSL setting back to the way they were but still no go on accessing the OWA page (Or remote for that matter).
ASKER
It's messed up both internally and externally. Didn't change anything on the router (didn't even log into it during this process).
Ill take a look at your link, thanks!
Ill take a look at your link, thanks!
is mail.domain.com pingable? How about you open webpage on CAS Server? does it open / error out?
Have you tried running
Test-WebServicesConnectivi
Regards,
Exchange_Geek
Have you tried running
Test-WebServicesConnectivi
Regards,
Exchange_Geek
ASKER
It is not pingable - times out.
Running the Test-Web command only gives me an error because it is trying to log on using a weird username (CAS_af7ws8wf7e <---something like that). It fails to run the test trying to use that username...
Running the Test-Web command only gives me an error because it is trying to log on using a weird username (CAS_af7ws8wf7e <---something like that). It fails to run the test trying to use that username...
Pinging your URL times out - what's it pointing to? using nslookup understand that.
Regards,
Exchange_Geek
Regards,
Exchange_Geek
ASKER
the url is pointing to the external IP of our server (onsite).
what does exrca.com state about your URL?
Now, you've changed the URL internally too, so isn't there any referance to this record pointing to your CAS Server internally?
Regards,
Exchange_Geek
Now, you've changed the URL internally too, so isn't there any referance to this record pointing to your CAS Server internally?
Regards,
Exchange_Geek
ASKER
Okay I believe I have changed everything back to how it was before I messed it all up. I am rebooting and will run exrca.com in a minute and report back.
Perfect :)
Regards,
Exchange_Geek
Regards,
Exchange_Geek
ASKER
OUTLOOK ANYWHERE TEST
IF YOU NEED A DIFFERENT EXRCA TEST LET ME KNOW
Connectivity Test Failed
Test Details
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
ExRCA is attempting to test Autodiscover for USERNAME@DOMAIN.com.
Testing Autodiscover failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://DOMAIN.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name DOMAIN.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: XX.XXX.XXX.XX <------THIS ADDRESS IS OUR WWW NOT OUR MAIL.DOMAIN/REMOTE.DOMAIN/
Testing TCP port 443 on host DOMAIN.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server DOMAIN.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB. <------THIS HOSTMONSTER IS THE HOSTING COMPANY FOR OUR WWW SITE
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name DOMAIN.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
Attempting to test potential Autodiscover URL https://autodiscover.DOMAIN.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.DOMAIN.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: XX.XXX.XXX.XXX <-------OUR WWW ADDRESS
Testing TCP port 443 on host autodiscover.DOMAIN.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.DOMAIN.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name autodiscover.DOMAIN.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.DOMAIN.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: XX.XXX.XXX.XXX <-----OUR WWW ADDRESS
Testing TCP port 80 on host autodiscover.DOMAIN.com to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.DOMAIN.com for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.DOMAIN.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
© 2013 Microsoft | Version 2.1 | Feedback | Privacy | Terms of Use
IF YOU NEED A DIFFERENT EXRCA TEST LET ME KNOW
Connectivity Test Failed
Test Details
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
ExRCA is attempting to test Autodiscover for USERNAME@DOMAIN.com.
Testing Autodiscover failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://DOMAIN.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name DOMAIN.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: XX.XXX.XXX.XX <------THIS ADDRESS IS OUR WWW NOT OUR MAIL.DOMAIN/REMOTE.DOMAIN/
Testing TCP port 443 on host DOMAIN.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server DOMAIN.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB. <------THIS HOSTMONSTER IS THE HOSTING COMPANY FOR OUR WWW SITE
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name DOMAIN.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
Attempting to test potential Autodiscover URL https://autodiscover.DOMAIN.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.DOMAIN.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: XX.XXX.XXX.XXX <-------OUR WWW ADDRESS
Testing TCP port 443 on host autodiscover.DOMAIN.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.DOMAIN.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name autodiscover.DOMAIN.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.DOMAIN.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: XX.XXX.XXX.XXX <-----OUR WWW ADDRESS
Testing TCP port 80 on host autodiscover.DOMAIN.com to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.DOMAIN.com for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.DOMAIN.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
© 2013 Microsoft | Version 2.1 | Feedback | Privacy | Terms of Use
What all names are part of Subject Alternate Name in your SAN-Cert?
Please list them along with your internal and external URL.
Regards,
Exchange_Geek
Please list them along with your internal and external URL.
Regards,
Exchange_Geek
ASKER
SAN cert should have the mail as the cn and remote & autodiscover as the SANs
how do I know the internal domain? the external is bluestarbussales.com - however we do have the local as bluestarbus.biz
how do I know the internal domain? the external is bluestarbussales.com - however we do have the local as bluestarbus.biz
Issues with your setup
Mess#1 autodiscover isn't part of the certificate being presented on internet.
Host name autodiscover.yourdomain.co
Mess#2 autodiscover.yourdomain.co
Attempting to resolve the host name autodiscover.yourdomain.co
The host name resolved successfully.
Additional Details
IP addresses returned: 74.xxx.xxx.230
Contact your vendor and question them.
Ideally, your autodiscover.domain.com should be pointing to your firewall and not your vendor. This isn't a www website - this is OL, this is Exchange that needs to respond to such queries.
Regards,
Exchange_Geek
Mess#1 autodiscover isn't part of the certificate being presented on internet.
Host name autodiscover.yourdomain.co
Mess#2 autodiscover.yourdomain.co
Attempting to resolve the host name autodiscover.yourdomain.co
The host name resolved successfully.
Additional Details
IP addresses returned: 74.xxx.xxx.230
Contact your vendor and question them.
Ideally, your autodiscover.domain.com should be pointing to your firewall and not your vendor. This isn't a www website - this is OL, this is Exchange that needs to respond to such queries.
Regards,
Exchange_Geek
ASKER
What about mail.domain.com?
In the past we never used autodiscover or remote, only mail.domain.com
Shouldn't mail.domain.com be working correctly?
In the past we never used autodiscover or remote, only mail.domain.com
Shouldn't mail.domain.com be working correctly?
ASKER
we have successfully used mail.domain.com for years without issues...I would like to get autodiscover looking to the correct IP but I am still stumped as to why mail.domain.com has stopped working and only gives a 404 message now
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
followed that and now when trying to access mail.domain.com I get a request to present a certificate - I do not have one on the client side (as far as I know)...
I'm rebooting right now to see if that makes a difference.
I'm rebooting right now to see if that makes a difference.
ASKER
Amazing! It is back up @ mail.domain.com!
Once autodiscover has updated to the new IP then I should be all set to go?
Is there anything else that I need to do on the server side?
Once autodiscover has updated to the new IP then I should be all set to go?
Is there anything else that I need to do on the server side?
ASKER
hey sorry one more thing I noticed.
remote.domain.com is pinging to the correct IP but it is also error 404 - do I need to reset IIS for this too?
remote.domain.com is pinging to the correct IP but it is also error 404 - do I need to reset IIS for this too?
404 error points to default web site - check the link i gave.
Regards,
Exchange_Geek
Regards,
Exchange_Geek
ASKER
So sorry - I wasn't paying attention
the https://remote.domain.com give me a 403 message (not 404)
Again - our webmail (mail.domain.com) is now working perfectly!
the https://remote.domain.com give me a 403 message (not 404)
Again - our webmail (mail.domain.com) is now working perfectly!
webmail works good - that's great news - what about ExRCA - does it still give the 404 errors?
Regards,
Exchange_Geek
Regards,
Exchange_Geek
ASKER
Here is the latst test - looks like it thinks autodiscover is still pointing to the wrong address but when I ping it it is pinging th right IP...
Connectivity Test Failed
Test Details
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
ExRCA is attempting to test Autodiscover for nicholas@bluestarbussales.
Testing Autodiscover failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://bluestarbussales.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name bluestarbussales.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 74.220.215.230
Testing TCP port 443 on host bluestarbussales.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server bluestarbussales.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name bluestarbussales.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
Attempting to test potential Autodiscover URL https://autodiscover.bluestarbussales.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.bluestarbussa
The host name resolved successfully.
Additional Details
IP addresses returned: 65.182.71.39
Testing TCP port 443 on host autodiscover.bluestarbussa
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.bluestarbussa
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.bluestarbussales.c
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.bluestarbussa
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail.bluestarbussales.c
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 4/5/2013 10:06:26 AM, NotAfter = 4/5/2016 10:06:26 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.bluestarbussales.com/AutoDiscover/AutoDiscover.xml for user nicholas@bluestarbussales.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
© 2013 Microsoft | Version 2.1 | Feedback | Privacy | Terms of Use
Connectivity Test Failed
Test Details
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
ExRCA is attempting to test Autodiscover for nicholas@bluestarbussales.
Testing Autodiscover failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://bluestarbussales.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name bluestarbussales.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 74.220.215.230
Testing TCP port 443 on host bluestarbussales.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server bluestarbussales.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name bluestarbussales.com doesn't match any name found on the server certificate CN=*.hostmonster.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
Attempting to test potential Autodiscover URL https://autodiscover.bluestarbussales.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.bluestarbussa
The host name resolved successfully.
Additional Details
IP addresses returned: 65.182.71.39
Testing TCP port 443 on host autodiscover.bluestarbussa
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.bluestarbussa
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.bluestarbussales.c
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.bluestarbussa
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail.bluestarbussales.c
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 4/5/2013 10:06:26 AM, NotAfter = 4/5/2016 10:06:26 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.bluestarbussales.com/AutoDiscover/AutoDiscover.xml for user nicholas@bluestarbussales.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
© 2013 Microsoft | Version 2.1 | Feedback | Privacy | Terms of Use
All looks good with ExRCA, what makes you think it's wrong.
Attempting to resolve the host name autodiscover.bluestarbussa
The host name resolved successfully.
Additional Details
IP addresses returned: 65.182.71.39
Regards,
Exchange_Geek
Attempting to resolve the host name autodiscover.bluestarbussa
The host name resolved successfully.
Additional Details
IP addresses returned: 65.182.71.39
Regards,
Exchange_Geek
ASKER
Your right I believe everything is fine now
That was where i was concerned, all looked good to me. Glad to hear the magic words :)
Regards,
Exchange_Geek
Regards,
Exchange_Geek
Take a look at the issue that another SBS guy faced where I was working with him, issue ended up being at the router - however, do read about settings.
https://www.experts-exchange.com/questions/28088401/sudden-owa-external-access-404-error-after-reboot-update.html?anchorAnswerId=39055556#a39055556
Regards,
Exchange_Geek