Link to home
Create AccountLog in
Avatar of carolinems
carolinems

asked on

Problem with new SSL certificate

I have a small SBS2008 network of 10 users and I use a standard single Godaddy SSL certificate for OWA etc.

Rather than renew the SSL for five years at £200  a pop, I opted for a new 5 year option at £20 and, because of the time delay in verifying the certificate, I started the CSR request before the old one expired.

This meant renaming the common name from remote.ourdomain.com to mail.ourdomain.com. I installed it yesterday in IIS7 and OWA is working fine with the new name.

I thought everyone would need to change the mail server on the their Blackberries and iPhones but (up to now) they are working fine with the old one. However, today the workstations are getting the Outlook 2007 security alert which says the name on the certificate is wrong or invalid. You can view the certificate (the new one), but it's looking for the old one.

I saw something online about adding my IP address and cert name to Hosts, but this didn't work.

Thanks for any ideas.


Caroline
Avatar of Morasiva
Morasiva

Hi,

Follow the below article and change the Exchange URL's with FQDN which is specified on new certificate.Wait for some to replicate the changes.

http://www.petenetlive.com/KB/Article/0000036.htm
Avatar of carolinems

ASKER

Thanks Morasiva.

I assume Pete means go to the Shell not the Console.

The Exchange-Mail in red that needs to be changed for my text - is that the exchange server name (local name as he says)?
I edited and pasted the following into the Exchange Shell on my SBS2008 server:
 

Set-ClientAccessServer -Identity MYSERVER - AutodiscoverServiceInternalUrl https://mail.mydomain.co.uk/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "MYSERVER\EWS (SBS Web  Applications)" -InternalUrl  https://mail.mydomain.co.uk/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "MYSERVER\oab (SBS Web  Applications)" -InternalUrl https://mail.mydomain.co.uk/oab

Set-UMVirtualDirectory -Identity "MYSERVER\unifiedmessaging (SBS  Web Applications)" -InternalUrl  https://mail.mydomain.co.uk/unifiedmessaging/service.asmx


It threw back the following errors:


[PS] C:\Windows\System32>Set-ClientAccessServer -Identity  MYSERVER -
Set-ClientAccessServer : A parameter cannot be found that matches  parameter nam
e '-'.
At line:1 char:23
+ Set-ClientAccessServer  <<<< -Identity MYSERVER -
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>AutodiscoverServiceInternalUri
The term 'AutodiscoverServiceInternalUri' is not recognized as a  cmdlet, functi
on, operable program, or script file. Verify the term and try again.
At line:1 char:31
+ AutodiscoverServiceInternalUri  <<<<
[PS] C:\Windows\System32>
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/autodiscover/autod iscove
r.xml
The term  'https://mail.mydomain.co.uk/autodiscover/autodiscover.xml' is not
recognized as a cmdlet, function, operable program, or script file.  Verify the
term and try again.
At line:1 char:60
+ https://mail.mydomain.co.uk/autodiscover/autodiscover.xml <<<<
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>Set-WebServicesVirtualDirectory -Identity  "MYSERVER
\EWS (SBS Web
>>
>> Applications)" -InternalUrl
>>
Set-WebServicesVirtualDirectory : Missing an argument for parameter  'InternalUr
l'. Specify a parameter of type 'System.Uri' and try again.
At line:2 char:28
+ Applications)" -InternalUrl  <<<<
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/ews/exchange.asmx
The term 'https://mail.mydomain.co.uk/ews/exchange.asmx' is not  recognized a
s a cmdlet, function, operable program, or script file. Verify the  term and try
 again.
At line:1 char:48
+ https://mail.mydomain.co.uk/ews/exchange.asmx <<<<
[PS] C:\Windows\System32>
[PS] C:\Windows\System32>Set-OABVirtualDirectory -Identity  "MYSERVER\oab (SB
S Web
>>
>> Applications)" -InternalUrl https://mail.mydomain.co.uk/oab
>>
Set-OabVirtualDirectory : The operation could not be performed  because object '
MYSERVER\oab (SBS Web
Applications)' could not be found on domain controller  'MYSERVER.mydomain.local'.
At line:1 char:24
+ Set-OABVirtualDirectory  <<<< -Identity "MYSERVER\oab (SBS Web
[PS] C:\Windows\System32>Set-UMVirtualDirectory -Identity  "MYSERVER\unifiedm
essaging (SBS
>>
>> Web Applications)" -InternalUrl
>>
Set-UMVirtualDirectory : Missing an argument for parameter  'InternalUrl'. Speci
fy a parameter of type 'System.Uri' and try again.
At line:2 char:32
+ Web Applications)" -InternalUrl  <<<<
[PS]  C:\Windows\System32>https://mail.mydomain.co.uk/unifiedmessaging/s ervice
.asmx
Avatar of Simon Butler (Sembee)
This is SBS - so you shouldn't be changing things in Exchange directly.

Run the Internet Name wizard in SBS again, do a custom name. You can then change it from remote.example.com to mail.example.com. Once the wizard has completed, run the SSL wizard, choosing an existing certificate. That will correct everything for you.

Although personally if you were switching to a single name certificate I would have stayed with remote.example.com and changed all the DNS to match.

Simon.
Simon, I tried that for ages yesterday before submitting the post.

Please let me know if I am doing this incorrectly, but if I go into SBS Console > Connectivity> Set up an Internet Address, it tells me to run the Internet Connection Wizard first.

When I run this and enter the IPs for the Router and Server, it tells me Windows SBS has encountered an unknown error. This stops the DHCP server service. I have checked to ensure IP v6 is enabled on the NIC. I haved also disabled Hamachi and Symantec on the server.

Thanks,

Caroline
You have other problems with the server then.
I would remove the Hamachi service and reboot.
Symantec AV brings me loads of business because of the problems it causes, so I would remove that as well (I wouldn't put it back either, but that is just me).
You must reboot before trying again.

Simon.
Thanks, I'll have to wait until everyone's finished before I can reboot the server, My gut feeling is this will not resolve the wizard problem, but would be delighted to be proved wrong.

One other point I should mention.

The certificate is bound to the SBS Web Application sites in IIS on port 443. I've checked the certificates list and there are about 12 expired remote.mydomain.co.uk, 2 Godaddy and 12 server generated ones. There are 4 current ones, the current Godaddy and 3 server ones.

However, my mxrecord is remote.mydomain.co.uk linked to myExternalIP.

Besides the annoying pop the exchange, mail in and out is working fine on the PCs and mobile phones. I guess then once I have have successfully changed the certificate name in Exchange, I should request the MXRecord be changed to mail.mydomain.co.uk? Or would it be better to add it as a second record - can 2 MXrecord have the same IP?

At first, I looked at the certificate as a way to connect to the website (OWA), but with the changes to exchange I am looking at having to do, exchange will now be looking for an MXRecord (mail.mydomain.co.uk) that doesn't currently exist.


Caroline
I just tried running the connect to internet wizard twice, once after removing Hamachi and then rebooting and repeated after taking off Symantec. Unfortunately it's still coming up with the same error.

The follow event error appeared after the last failure:

Log Name:      Application
Source:        MSExchangeTransport
Date:          17/05/2013 18:27:00
Event ID:      12016
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      myserver.mydomain.local
Description:
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of remote.mydomain.co.uk. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of remote.mydomain.co.uk should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12016</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-17T17:27:00.000Z" />
    <EventRecordID>997360</EventRecordID>
    <Channel>Application</Channel>
    <Computer>myserver.mydomain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>remote.mydomain.co.uk</Data>
    <Data>C0B014A008503A744D25D94A3D89989B9B1836FD</Data>
  </EventData>
</Event>
ASKER CERTIFIED SOLUTION
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks Simon, nearly sorted.

I failed to noticed Hamachi running in the background, and stopping me and the server from disabling/removing it and causing the wizard to stop.

Error messages have gone but I have not yet added the "mail" mxrecord, but the mail seems unaffected, do mailservers only look for the IP?
Do you have an MX record in place at all?
If the MX record host name resolves, then mail will continue to work correctly. However if you make the host name on the SSL certificate match your MX record host name then Exchange will do opportunist TLS (SMTP over SSL) if the other side supports it.

Simon.
If I do an mxtoolbox lookup it reports remote.mydomain.co.uk as the mxrecord. This was changed from a BT address when we were using an sbs  pop connect to our own smtp.

Should I add the new "mail" record or leave it as it is?

Thanks

Caroline
That is up to you.
If you have users still using remote.example.co.uk then you might want to change it and then drop the A record completely, so that th ehost name doesn't work any longer. As I wrote above I would have stayed with remote as the host name rather than changing to mail.

From a technical point of view there is nothing to be gained or lost from adding the additional host name to the MX record, other than making things "clean".

Simon.
Thanks Simon.

I going to add the record.

Yesterday, the mobiles began to lose the connection and I've told everyone to change their settings to "mail".

I've one more email problem but I am starting a new thread for that as you have more that adequately answered my question.
This was the key to resolving the problem