Solved

Problem with new SSL certificate

Posted on 2013-05-16
15
750 Views
Last Modified: 2013-05-20
I have a small SBS2008 network of 10 users and I use a standard single Godaddy SSL certificate for OWA etc.

Rather than renew the SSL for five years at £200  a pop, I opted for a new 5 year option at £20 and, because of the time delay in verifying the certificate, I started the CSR request before the old one expired.

This meant renaming the common name from remote.ourdomain.com to mail.ourdomain.com. I installed it yesterday in IIS7 and OWA is working fine with the new name.

I thought everyone would need to change the mail server on the their Blackberries and iPhones but (up to now) they are working fine with the old one. However, today the workstations are getting the Outlook 2007 security alert which says the name on the certificate is wrong or invalid. You can view the certificate (the new one), but it's looking for the old one.

I saw something online about adding my IP address and cert name to Hosts, but this didn't work.

Thanks for any ideas.


Caroline
0
Comment
Question by:carolinems
  • 9
  • 5
15 Comments
 
LVL 5

Expert Comment

by:Morasiva
Comment Utility
Hi,

Follow the below article and change the Exchange URL's with FQDN which is specified on new certificate.Wait for some to replicate the changes.

http://www.petenetlive.com/KB/Article/0000036.htm
0
 

Author Comment

by:carolinems
Comment Utility
Thanks Morasiva.

I assume Pete means go to the Shell not the Console.

The Exchange-Mail in red that needs to be changed for my text - is that the exchange server name (local name as he says)?
0
 

Author Comment

by:carolinems
Comment Utility
I edited and pasted the following into the Exchange Shell on my SBS2008 server:
 

Set-ClientAccessServer -Identity MYSERVER - AutodiscoverServiceInternalUrl https://mail.mydomain.co.uk/autodiscover/autodiscover.xml  

Set-WebServicesVirtualDirectory -Identity "MYSERVER\EWS (SBS Web  Applications)" -InternalUrl  https://mail.mydomain.co.uk/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "MYSERVER\oab (SBS Web  Applications)" -InternalUrl https://mail.mydomain.co.uk/oab

Set-UMVirtualDirectory -Identity "MYSERVER\unifiedmessaging (SBS  Web Applications)" -InternalUrl  https://mail.mydomain.co.uk/unifiedmessaging/service.asmx


It threw back the following errors:


[PS] C:\Windows\System32>Set-ClientAccessServer -Identity  MYSERVER -
Set-ClientAccessServer : A parameter cannot be found that matches  parameter nam
e '-'.
At line:1 char:23
+ Set-ClientAccessServer  <<<< -Identity MYSERVER -
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>AutodiscoverServiceInternalUri
The term 'AutodiscoverServiceInternalUri' is not recognized as a  cmdlet, functi
on, operable program, or script file. Verify the term and try again.
At line:1 char:31
+ AutodiscoverServiceInternalUri  <<<<
[PS] C:\Windows\System32>
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/autodiscover/autod iscove
r.xml
The term  'https://mail.mydomain.co.uk/autodiscover/autodiscover.xml' is not
recognized as a cmdlet, function, operable program, or script file.  Verify the
term and try again.
At line:1 char:60
+ https://mail.mydomain.co.uk/autodiscover/autodiscover.xml <<<<
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>Set-WebServicesVirtualDirectory -Identity  "MYSERVER
\EWS (SBS Web
>>
>> Applications)" -InternalUrl
>>
Set-WebServicesVirtualDirectory : Missing an argument for parameter  'InternalUr
l'. Specify a parameter of type 'System.Uri' and try again.
At line:2 char:28
+ Applications)" -InternalUrl  <<<<
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/ews/exchange.asmx
The term 'https://mail.mydomain.co.uk/ews/exchange.asmx' is not  recognized a
s a cmdlet, function, operable program, or script file. Verify the  term and try
 again.
At line:1 char:48
+ https://mail.mydomain.co.uk/ews/exchange.asmx <<<<
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>Set-OABVirtualDirectory -Identity  "MYSERVER\oab (SB
S Web
>>
>> Applications)" -InternalUrl https://mail.mydomain.co.uk/oab
>>
Set-OabVirtualDirectory : The operation could not be performed  because object '
MYSERVER\oab (SBS Web
Applications)' could not be found on domain controller  'MYSERVER.mydomain.local'.
At line:1 char:24
+ Set-OABVirtualDirectory  <<<< -Identity "MYSERVER\oab (SBS Web
[PS] C:\Windows\System32>Set-UMVirtualDirectory -Identity  "MYSERVER\unifiedm
essaging (SBS
>>
>> Web Applications)" -InternalUrl
>>
Set-UMVirtualDirectory : Missing an argument for parameter  'InternalUrl'. Speci
fy a parameter of type 'System.Uri' and try again.
At line:2 char:32
+ Web Applications)" -InternalUrl  <<<<
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/unifiedmessaging/s ervice
.asmx
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
This is SBS - so you shouldn't be changing things in Exchange directly.

Run the Internet Name wizard in SBS again, do a custom name. You can then change it from remote.example.com to mail.example.com. Once the wizard has completed, run the SSL wizard, choosing an existing certificate. That will correct everything for you.

Although personally if you were switching to a single name certificate I would have stayed with remote.example.com and changed all the DNS to match.

Simon.
0
 

Author Comment

by:carolinems
Comment Utility
Simon, I tried that for ages yesterday before submitting the post.

Please let me know if I am doing this incorrectly, but if I go into SBS Console > Connectivity> Set up an Internet Address, it tells me to run the Internet Connection Wizard first.

When I run this and enter the IPs for the Router and Server, it tells me Windows SBS has encountered an unknown error. This stops the DHCP server service. I have checked to ensure IP v6 is enabled on the NIC. I haved also disabled Hamachi and Symantec on the server.

Thanks,

Caroline
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
You have other problems with the server then.
I would remove the Hamachi service and reboot.
Symantec AV brings me loads of business because of the problems it causes, so I would remove that as well (I wouldn't put it back either, but that is just me).
You must reboot before trying again.

Simon.
0
 

Author Comment

by:carolinems
Comment Utility
Thanks, I'll have to wait until everyone's finished before I can reboot the server, My gut feeling is this will not resolve the wizard problem, but would be delighted to be proved wrong.

One other point I should mention.

The certificate is bound to the SBS Web Application sites in IIS on port 443. I've checked the certificates list and there are about 12 expired remote.mydomain.co.uk, 2 Godaddy and 12 server generated ones. There are 4 current ones, the current Godaddy and 3 server ones.

However, my mxrecord is remote.mydomain.co.uk linked to myExternalIP.

Besides the annoying pop the exchange, mail in and out is working fine on the PCs and mobile phones. I guess then once I have have successfully changed the certificate name in Exchange, I should request the MXRecord be changed to mail.mydomain.co.uk? Or would it be better to add it as a second record - can 2 MXrecord have the same IP?

At first, I looked at the certificate as a way to connect to the website (OWA), but with the changes to exchange I am looking at having to do, exchange will now be looking for an MXRecord (mail.mydomain.co.uk) that doesn't currently exist.


Caroline
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 

Author Comment

by:carolinems
Comment Utility
I just tried running the connect to internet wizard twice, once after removing Hamachi and then rebooting and repeated after taking off Symantec. Unfortunately it's still coming up with the same error.

The follow event error appeared after the last failure:

Log Name:      Application
Source:        MSExchangeTransport
Date:          17/05/2013 18:27:00
Event ID:      12016
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      myserver.mydomain.local
Description:
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of remote.mydomain.co.uk. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of remote.mydomain.co.uk should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12016</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-17T17:27:00.000Z" />
    <EventRecordID>997360</EventRecordID>
    <Channel>Application</Channel>
    <Computer>myserver.mydomain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>remote.mydomain.co.uk</Data>
    <Data>C0B014A008503A744D25D94A3D89989B9B1836FD</Data>
  </EventData>
</Event>
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
The error you have posted will be corrected by the wizard once it completes successfully, as the wizards will generate a new self signed certificate for you. Then you can replace it with your trusted SSL certificate. You can have multiple MX records pointing at the same IP address if you like.

The wizard generates a log file - this is a list of where they are:
http://blogs.technet.com/b/sbs/archive/2008/10/01/key-small-business-server-2008-log-files.aspx

It should give you an indication of where it is failing. Usually it is a sign that something was configured outside of SBS and it needs to be put back to what SBS is expecting for the wizard to complete.

Simon.
0
 

Author Comment

by:carolinems
Comment Utility
Thanks Simon, nearly sorted.

I failed to noticed Hamachi running in the background, and stopping me and the server from disabling/removing it and causing the wizard to stop.

Error messages have gone but I have not yet added the "mail" mxrecord, but the mail seems unaffected, do mailservers only look for the IP?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Do you have an MX record in place at all?
If the MX record host name resolves, then mail will continue to work correctly. However if you make the host name on the SSL certificate match your MX record host name then Exchange will do opportunist TLS (SMTP over SSL) if the other side supports it.

Simon.
0
 

Author Comment

by:carolinems
Comment Utility
If I do an mxtoolbox lookup it reports remote.mydomain.co.uk as the mxrecord. This was changed from a BT address when we were using an sbs  pop connect to our own smtp.

Should I add the new "mail" record or leave it as it is?

Thanks

Caroline
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
That is up to you.
If you have users still using remote.example.co.uk then you might want to change it and then drop the A record completely, so that th ehost name doesn't work any longer. As I wrote above I would have stayed with remote as the host name rather than changing to mail.

From a technical point of view there is nothing to be gained or lost from adding the additional host name to the MX record, other than making things "clean".

Simon.
0
 

Author Comment

by:carolinems
Comment Utility
Thanks Simon.

I going to add the record.

Yesterday, the mobiles began to lose the connection and I've told everyone to change their settings to "mail".

I've one more email problem but I am starting a new thread for that as you have more that adequately answered my question.
0
 

Author Closing Comment

by:carolinems
Comment Utility
This was the key to resolving the problem
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now