Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Problem with new SSL certificate

Posted on 2013-05-16
Medium Priority
Last Modified: 2013-05-20
I have a small SBS2008 network of 10 users and I use a standard single Godaddy SSL certificate for OWA etc.

Rather than renew the SSL for five years at £200  a pop, I opted for a new 5 year option at £20 and, because of the time delay in verifying the certificate, I started the CSR request before the old one expired.

This meant renaming the common name from remote.ourdomain.com to mail.ourdomain.com. I installed it yesterday in IIS7 and OWA is working fine with the new name.

I thought everyone would need to change the mail server on the their Blackberries and iPhones but (up to now) they are working fine with the old one. However, today the workstations are getting the Outlook 2007 security alert which says the name on the certificate is wrong or invalid. You can view the certificate (the new one), but it's looking for the old one.

I saw something online about adding my IP address and cert name to Hosts, but this didn't work.

Thanks for any ideas.

Question by:carolinems
  • 9
  • 5

Expert Comment

ID: 39173236

Follow the below article and change the Exchange URL's with FQDN which is specified on new certificate.Wait for some to replicate the changes.


Author Comment

ID: 39173948
Thanks Morasiva.

I assume Pete means go to the Shell not the Console.

The Exchange-Mail in red that needs to be changed for my text - is that the exchange server name (local name as he says)?

Author Comment

ID: 39174020
I edited and pasted the following into the Exchange Shell on my SBS2008 server:

Set-ClientAccessServer -Identity MYSERVER - AutodiscoverServiceInternalUrl https://mail.mydomain.co.uk/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "MYSERVER\EWS (SBS Web  Applications)" -InternalUrl  https://mail.mydomain.co.uk/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "MYSERVER\oab (SBS Web  Applications)" -InternalUrl https://mail.mydomain.co.uk/oab

Set-UMVirtualDirectory -Identity "MYSERVER\unifiedmessaging (SBS  Web Applications)" -InternalUrl  https://mail.mydomain.co.uk/unifiedmessaging/service.asmx

It threw back the following errors:

[PS] C:\Windows\System32>Set-ClientAccessServer -Identity  MYSERVER -
Set-ClientAccessServer : A parameter cannot be found that matches  parameter nam
e '-'.
At line:1 char:23
+ Set-ClientAccessServer  <<<< -Identity MYSERVER -
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>AutodiscoverServiceInternalUri
The term 'AutodiscoverServiceInternalUri' is not recognized as a  cmdlet, functi
on, operable program, or script file. Verify the term and try again.
At line:1 char:31
+ AutodiscoverServiceInternalUri  <<<<
[PS] C:\Windows\System32>
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/autodiscover/autod iscove
The term  'https://mail.mydomain.co.uk/autodiscover/autodiscover.xml' is not
recognized as a cmdlet, function, operable program, or script file.  Verify the
term and try again.
At line:1 char:60
+ https://mail.mydomain.co.uk/autodiscover/autodiscover.xml <<<<
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>Set-WebServicesVirtualDirectory -Identity  "MYSERVER
>> Applications)" -InternalUrl
Set-WebServicesVirtualDirectory : Missing an argument for parameter  'InternalUr
l'. Specify a parameter of type 'System.Uri' and try again.
At line:2 char:28
+ Applications)" -InternalUrl  <<<<
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/ews/exchange.asmx
The term 'https://mail.mydomain.co.uk/ews/exchange.asmx' is not  recognized a
s a cmdlet, function, operable program, or script file. Verify the  term and try
At line:1 char:48
+ https://mail.mydomain.co.uk/ews/exchange.asmx <<<<
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>Set-OABVirtualDirectory -Identity  "MYSERVER\oab (SB
S Web
>> Applications)" -InternalUrl https://mail.mydomain.co.uk/oab
Set-OabVirtualDirectory : The operation could not be performed  because object '
Applications)' could not be found on domain controller  'MYSERVER.mydomain.local'.
At line:1 char:24
+ Set-OABVirtualDirectory  <<<< -Identity "MYSERVER\oab (SBS Web
[PS] C:\Windows\System32>Set-UMVirtualDirectory -Identity  "MYSERVER\unifiedm
essaging (SBS
>> Web Applications)" -InternalUrl
Set-UMVirtualDirectory : Missing an argument for parameter  'InternalUrl'. Speci
fy a parameter of type 'System.Uri' and try again.
At line:2 char:32
+ Web Applications)" -InternalUrl  <<<<
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/unifiedmessaging/s ervice
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39174438
This is SBS - so you shouldn't be changing things in Exchange directly.

Run the Internet Name wizard in SBS again, do a custom name. You can then change it from remote.example.com to mail.example.com. Once the wizard has completed, run the SSL wizard, choosing an existing certificate. That will correct everything for you.

Although personally if you were switching to a single name certificate I would have stayed with remote.example.com and changed all the DNS to match.


Author Comment

ID: 39174563
Simon, I tried that for ages yesterday before submitting the post.

Please let me know if I am doing this incorrectly, but if I go into SBS Console > Connectivity> Set up an Internet Address, it tells me to run the Internet Connection Wizard first.

When I run this and enter the IPs for the Router and Server, it tells me Windows SBS has encountered an unknown error. This stops the DHCP server service. I have checked to ensure IP v6 is enabled on the NIC. I haved also disabled Hamachi and Symantec on the server.


LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39174614
You have other problems with the server then.
I would remove the Hamachi service and reboot.
Symantec AV brings me loads of business because of the problems it causes, so I would remove that as well (I wouldn't put it back either, but that is just me).
You must reboot before trying again.


Author Comment

ID: 39174751
Thanks, I'll have to wait until everyone's finished before I can reboot the server, My gut feeling is this will not resolve the wizard problem, but would be delighted to be proved wrong.

One other point I should mention.

The certificate is bound to the SBS Web Application sites in IIS on port 443. I've checked the certificates list and there are about 12 expired remote.mydomain.co.uk, 2 Godaddy and 12 server generated ones. There are 4 current ones, the current Godaddy and 3 server ones.

However, my mxrecord is remote.mydomain.co.uk linked to myExternalIP.

Besides the annoying pop the exchange, mail in and out is working fine on the PCs and mobile phones. I guess then once I have have successfully changed the certificate name in Exchange, I should request the MXRecord be changed to mail.mydomain.co.uk? Or would it be better to add it as a second record - can 2 MXrecord have the same IP?

At first, I looked at the certificate as a way to connect to the website (OWA), but with the changes to exchange I am looking at having to do, exchange will now be looking for an MXRecord (mail.mydomain.co.uk) that doesn't currently exist.


Author Comment

ID: 39175528
I just tried running the connect to internet wizard twice, once after removing Hamachi and then rebooting and repeated after taking off Symantec. Unfortunately it's still coming up with the same error.

The follow event error appeared after the last failure:

Log Name:      Application
Source:        MSExchangeTransport
Date:          17/05/2013 18:27:00
Event ID:      12016
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      myserver.mydomain.local
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of remote.mydomain.co.uk. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of remote.mydomain.co.uk should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12016</EventID>
    <TimeCreated SystemTime="2013-05-17T17:27:00.000Z" />
    <Security />
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 2000 total points
ID: 39176087
The error you have posted will be corrected by the wizard once it completes successfully, as the wizards will generate a new self signed certificate for you. Then you can replace it with your trusted SSL certificate. You can have multiple MX records pointing at the same IP address if you like.

The wizard generates a log file - this is a list of where they are:

It should give you an indication of where it is failing. Usually it is a sign that something was configured outside of SBS and it needs to be put back to what SBS is expecting for the wizard to complete.


Author Comment

ID: 39177135
Thanks Simon, nearly sorted.

I failed to noticed Hamachi running in the background, and stopping me and the server from disabling/removing it and causing the wizard to stop.

Error messages have gone but I have not yet added the "mail" mxrecord, but the mail seems unaffected, do mailservers only look for the IP?
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39177143
Do you have an MX record in place at all?
If the MX record host name resolves, then mail will continue to work correctly. However if you make the host name on the SSL certificate match your MX record host name then Exchange will do opportunist TLS (SMTP over SSL) if the other side supports it.


Author Comment

ID: 39177360
If I do an mxtoolbox lookup it reports remote.mydomain.co.uk as the mxrecord. This was changed from a BT address when we were using an sbs  pop connect to our own smtp.

Should I add the new "mail" record or leave it as it is?


LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39180305
That is up to you.
If you have users still using remote.example.co.uk then you might want to change it and then drop the A record completely, so that th ehost name doesn't work any longer. As I wrote above I would have stayed with remote as the host name rather than changing to mail.

From a technical point of view there is nothing to be gained or lost from adding the additional host name to the MX record, other than making things "clean".


Author Comment

ID: 39180527
Thanks Simon.

I going to add the record.

Yesterday, the mobiles began to lose the connection and I've told everyone to change their settings to "mail".

I've one more email problem but I am starting a new thread for that as you have more that adequately answered my question.

Author Closing Comment

ID: 39180529
This was the key to resolving the problem

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question