Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2566
  • Last Modified:

URGENT!! MS Exchange will not deliver/send external emails

I was playing around with Certs today on my Edge server and I believe I accidentally deleted the cert that connects to the Client Hub.

Event Viewer info:
Microsoft Exchange could not find a certificate that contains the domain name STLEXED01.clearent.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector EdgeSync - Inbound to St-Louis-Datotel with a FQDN parameter of STLEXED01.clearent.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

Source: MSExchangeTransport
Event ID: 12014

Queue Viewer Message:
error 451 4.4.0 primary target ip address responded with 421 4.2.1 unable to connect

Can anyone assist me on resolving this issue? I am new to exchange so my knowledge and jargon is not high level.

THANKS in advance!
0
TechOps07
Asked:
TechOps07
  • 20
  • 15
1 Solution
 
TMekeelCommented:
Run:
Get-ExchangeCertificate | fl

from the Exchange Shell.
Check the certificates that are applied to services, SMTP is the one in question.
How many certs do you have there, and are they all self-signed?
If so, you did delete it.  Re-add it to the server, and then enable it for smtp and whatever other services are applicable.

Not sure where you bought the cert from, but hopefully it is stored somewhere locally on the server already, and you just need to re-add.
0
 
TechOps07Author Commented:
TMekeel,

I just ran that command on my Mailbox server and I do not see a SMTP cert
Checked Client Hub, SMTP is there
Checked Edge, SMTP is not there.

Now how can I fix that?

Also checking the EventVwr on my Edge server I found this:

Microsoft Exchange could not load the certificate with thumbprint of 61427B21722B6DB217DB8002C19D4D347BF5B8B0 from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate 61427B21722B6DB217DB8002C19D4D347BF5B8B0 -services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, an ephemeral, self-signed certificate with thumbprint 401DF87FE48FFF810C916F26D65B9A76FE78DCFB is being used.

EventID: 12024
0
 
TechOps07Author Commented:
It seems to me that there is a Certificate issue and I am clueless on how to fix it.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
TMekeelCommented:
If you do not have a backup of the private key, I believe you would have to rekey to the provider and re-download and import.

Who did you buy the cert from?

Alternatively, is it the same cert as the other server?
Export that from the other server and import it to the edge.
http://technet.microsoft.com/en-us/library/dd351274(v=exchg.141).aspx
0
 
TMekeelCommented:
Dont forget to apply it to services after you re-import it.
0
 
TMekeelCommented:
I know this is urgent for you so I am trying to get you advice as quickly as possible.
If you have the cert installed on the other server, then export it with the private key.

If you need help on how to do that follow this:
http://technet.microsoft.com/en-us/library/dd351274(v=exchg.141).aspx

Once exported follow this:
http://technet.microsoft.com/en-us/library/dd351183(v=exchg.141).aspx

Then add the relevant services following this:
http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx
0
 
TechOps07Author Commented:
Once I have exported the cert where do I import it at on the Edge? Would this be the Certificates>Personal>Certificates?
0
 
TechOps07Author Commented:
I appreciate your help very much.

Our Edge Server is in a workgroup while my Mailbox and Client Hub are on the domain which is causing a problem tyring to import it via your link in your last response.
0
 
TMekeelCommented:
You would do that though the EMC, instructions in 2nd link.

Then follow 3rd link to apply services such as smtp, iis, imap, pop to use the imported cert.
0
 
TechOps07Author Commented:
That is the thing, STLEXED01 is not listed in the exchange server list to import cert to. When in the server configuration and I select the edge server is does not give me option to import exchange cert either.

I believe this is because it is in a workgroup and not the domain.
0
 
TechOps07Author Commented:
ok I ran the following commands through the shell that you gave links to but still no greenlight yet.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certs\exchange.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

Got the following message:
Import-ExchangeCertificate : Cannot import certificate. A certificate with the thumbprint 8CA5333784AE4D62CEF8EFADB2071
50209471E28 already exists.
At line:1 char:27
+ Import-ExchangeCertificate <<<<  -FileData ([Byte[]]$(Get-Content -Path c:\certs\exchange.pfx -Encoding byte -ReadCou
nt 0)) -Password:(Get-Credential).password
    + CategoryInfo          : WriteError: (:) [Import-ExchangeCertificate], InvalidOperationException
    + FullyQualifiedErrorId : 770AD273,Microsoft.Exchange.Management.SystemConfigurationTasks.ImportExchangeCertificat

I enabled the SMTP services:
Enable-ExchangeCertificate -Server 'STLEXED01' -Services 'SMTP' -Thumbprint '8CA5333784AE4D62CEF8EFADB207150209471E28'

Received the following:
Current certificate: '61427B21722B6DB217DB8002C19D4D347BF5B8B0' (expires 1/18/2017 2:01:07 PM)
Replace it with certificate: '8CA5333784AE4D62CEF8EFADB207150209471E28' (expires 1/23/2015 4:54:04 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must  subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.

I did overwrite, clicked "Retry" on the Queue Viewer to see if the messages would go through, same error.
0
 
TMekeelCommented:
Edge servers are not in the domain by design, and usually in the DMZ outside of your other servers.

Follow this post, it is exactly what you need.
http://msexchangeguru.com/2012/07/24/edge-server-tls/
0
 
TechOps07Author Commented:
TM,

Thanks, I am following that guide now and will report back soon.
0
 
TechOps07Author Commented:
This got me on the right path per say. I did not work because I do not have access to the Firewall to open the ports as this Cert was Internal.

It looks like we do have an external cert from GoDaddy.com which I believe was used for the Edge to connect to internet and to our Client Hub.

Any suggestions on that?
0
 
TechOps07Author Commented:
I am wondering if I follow your advice on exporting that external cert from my Client Hub to the Edge  would that fix it.
0
 
TMekeelCommented:
It should. Essentially what happened is you deleted the private key.
Exporting it from the CAS to a file and then importing should work, using the guide in the last link I sent. I'd assume the root certs are already there.
0
 
TMekeelCommented:
Now that I am looking at your certain more closely, one expires 2017 and one expires 2015. So they are different. I think the best thing to do would be generate a new CSR and rekeying the cert with godaddy.
They have instructions for this on their site.
Unless the cert is the same for the edge and the Client access server, in that case you should be able to export with private key and then import as I said earlier.
0
 
TechOps07Author Commented:
Well I did what you said prior.

Enabled-ExchangeCertificate -Thumbprint XXXXX -Services SMTP
Overwrite the existing

Remove-ExchangeCertificate -Thumbprint "OLD CERT"
Confirmed removal

Did the same thing on my Client Hub, emails going out works but still no emails coming in.
0
 
TechOps07Author Commented:
I get the following error:

Could not decrypt EdgeSync credential cn=ESRA.STLEXED01.STLEXCH01.0,CN=Services,CN=Configuration,CN={E49BCD2D-6892-499E-B2C3-31202E0603E3} using Edge default certificate with thumbprint D2EB8D5A1AD519745CA46E5055C581E275DB5315, The exception is Bad Data.
. Please unsubscribe and resubscribe your Edge Transort server.

SO I am assuming I need to remove the Subscription and Readd. I will post back shortly.
0
 
TMekeelCommented:
Did you restart AD LDS on the Edge server?
0
 
TMekeelCommented:
Otherwise it should work to remove-edgesubscription and then new-edgesubscription as you mentioned.
0
 
TechOps07Author Commented:
I ran the following:

Remove-EdgeSubscription -Identity STLEXED01
New-EdgeSubscription -FileName "C:\edgesub.xml"

Tried to send external email to internal, still not working.
0
 
TechOps07Author Commented:
I did not restart the AD LS on edge.
0
 
TechOps07Author Commented:
Ok I am restarting the Edge server then I will check email again, if that doesn't work I will restart the AD LS and Transport service manually.
0
 
TMekeelCommented:
If not, then the incorrect certificate is applied to the server.
The public key is incorrect, although resubscribing should fix that, assuming the SAN names are correct on the cert that you applied.
0
 
TMekeelCommented:
You ran the resubscription on the Hub Transport server correct?
0
 
TechOps07Author Commented:
How do I do that? Resubscription on Hub Transport?

I tried the New Edge Subscription from EMC but I get error:

Summary: 2 item(s). 1 succeeded, 1 failed.
Elapsed time: 00:00:00


Read file
Completed

Exchange Management Shell command completed:
Read binary stream from the file '\\10.254.250.100\c$\edgesubscription.xml'.

Elapsed Time: 00:00:00


Edge Subscription
Failed

Error:
The subscription file failed to load for the following reason: The direct trust certificate of the subscribed Edge Transport server with thumbprint 8CA5333784AE4D62CEF8EFADB207150209471E28 is a duplicate of the certificate of one of the HubTransport servers. Sharing the same certificate between Edge and Hub Transport servers is not allowed.

Exchange Management Shell command attempted:
New-EdgeSubscription -FileData '<Binary Data>' -Site 'clearent.lan/Configuration/Sites/St-Louis-Datotel' -CreateInternetSendConnector $true -CreateInboundSendConnector $true

Elapsed Time: 00:00:00
0
 
TMekeelCommented:
So the certs are different as suggested above. In that case generate a new csr and rekey with godaddy, then import the new keyed cert.
redo subscription and you should be good to go.
0
 
TechOps07Author Commented:
Can you explain "Certs are different as suggested above"? They are the same cert according to the error message.

I know my boss who has access to the GoDaddy cert reimported to the Edge server today after I deleted the damn certs by accident.

Do I need to export the GoDaddy Cert from Edge to the Hub?
0
 
TMekeelCommented:
No, what I said earlier that the thumbprint of the existing (deleted) cert was different, which is the one that appeared to expire 2017. You should rekey that one and import it to the edge.
0
 
TechOps07Author Commented:
I am only seeing the Cert from GoDaddy expiring in 2015
0
 
TechOps07Author Commented:
I am going to try to see if our network admin will open the ports on our domain to the edge server workgroup so I can just setup an internal Cert as that may be easier, the person w/ access to the GoDaddy cert doesn't think redownloading the cert again is going to fix anything.


Either way I think you earned you points and then some my friend. Deepest Gratitude!
0
 
TechOps07Author Commented:
TMekeel went above and beyond helping me to the point I believe he earned more than 500pts!

Awesome Tech!!
0
 
TMekeelCommented:
Thanks!
If the godaddy one expires 2015, then that is correct. We've already tried that one.
0
 
TechOps07Author Commented:
TMekeel,

I opened up a case w/ MS Support lastnight and what they did to resolve was create a new cert on the Edge and Hub Transport, renewed the subscription and it started to work.

New-ExchangeCertificate -Services SMTP

You had me on the right track and I wish I knew more about certs. Thank you a lot for your dedication to my issue!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 20
  • 15
Tackle projects and never again get stuck behind a technical roadblock.
Join Now