Solved

Exchange Security Certificates INVALID, All Works Except POP3 SSL

Posted on 2013-05-10
1
318 Views
Last Modified: 2013-09-05
About 3 weeks ago one of our techs purchased and installed a new SSL certificate for our exchange server.  Everything was and is working fine on IMAP internally and externally, and OWA.  The problem is with our POP3 SSL clients.  Seemingly after the new certs were installed our POP users would get intermittent authentication errors when establishing a session.  In an effort to troubleshoot the problem, I enabled POP3 logging and restarted the POP3 service of Exchange 2007.  That was 3 days ago.  Now, no POP3 users are able to connect at all.  I stopped the logging, and no difference.  

I came to find out later that when the upgraded certs were installed 3 weeks ago, the Exchange server was never not.  Possibly when I restarted the POP3 service for logging, that did something?

To throw more confusion in the mix, about 3 months ago, we switched from a Barracuda firewall appliance to Barracuda spam filter service.  Since then, the Event viewer has been logging RED 12014 Transport errors saying Exchange couldn't find a certificate for the Barracuda networks domain.  True, because Barracuda was not named on the old cert and actually it's not named on the new cert either (I don't know if it can because we don't own it????)  (See attached error file.)

Anyway, since the POP3 stopped working 3 days ago, that's when I started looking at the logs and found the Barracuda / cert error as well as errors saying that the IMAP and POP3 services didn't have certificates associated with them.  Unfortunately, I accidently erased the log and don't have the event id's for those errors--I'm sure more will come today and I will let you know what they are if anyone tries to help me.

The plot thickens:  Exchange Shell shows that we have  6 certificates installed (see cert_list.txt)  All are self-signed except the one CA cert that we got from Godaddy 3 weeks ago.  The Godaddy cert says that it is INVALID, yet if you go to SSLShopper.com and use the Cert Tool, it says everything is OK.  And, before we installed it, our on-site employees were getting Certificate errors in Outlook, now they are not.  Also, OWA, and Exchange mail on my Android cell works without errors.

Question: I want to just get rid of all the certs and re-install the Godaddy cert and one self-signed certificate that has all our domains as well as the Barracuda domain--is that a good idea?  

Another thing, I made one self-signed cert last night in installed it.  We have the Certificate Service installed on our PDC and used it to self-authenticate?  I noticed a couple of things about it.  First, it shows that it is NOT self-signed, i.e. IsSelfSigne: FALSE,  and that it is only associated with IMAP, POP, and UM.  I tried to use the Enable command: Enable-ExchangeCertificate -Thumbprint xxxx  -Services "POP, IMAP, UM, IIS, SMTP"  but I keep getting an error about services.  The Shell also won't let me remove the the cert.

I know I've described a bunch of problems and maybe it should be broken up into a number of questions, but I wanted to give you the whole confusing picture.

Thanks in advance.
Event-12014.txt
cert-list.txt
0
Comment
Question by:basstech
1 Comment
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39155728
If you suspect the GoDaddy certificate then you can get it rekeyed. Generate a new request in Exchange and then rekey it through their system. You have 24 hours to replace the certificates after doing that.

The reason the certificate generated by your CA isn't self signed is because it isn't - it wasn't generated by Exchange itself. Therefore if you have publshed the root to the domain and the clients trust it, then it would be fine. However as you have a commercial certificate I wouldn't bother.

Not sure what you are referring to with the Barracuda error. Is it perhaps referring to the FQDN on the send connector?

Simon.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now