Solved

Exchange 2013 certificate errors

Posted on 2013-12-19
4
403 Views
Last Modified: 2014-02-20
We are in the middle of a migration from exchange 2007 over to 2013.  We still have our legacy server in place, but all of the mailboxes have been migrated over.  Also OWA, ECP, are now running from the 2013 server.  

We have a single name certificate for mail.mycompany.com.  I believe that I have it assigned to the IMAP, SMTP, POP3, and IIS.  I did this using the ecp.  

When I go to the Event Viewer i'm receiving Error ID 12014:

Microsoft Exchange could not find a certificate that contains the domain name EX1.mycompany.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Frontend EX1 with a FQDN parameter of EX1.mycompany.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

We still some old receive connectors from the server that we want to decommission I was wondering if I should delete those now that the new server is up and running?  I am a little confused as to the way they should be set up.  It created several connecters during the installation.  More then we had with the exchange 2007 server.  

We have a single exchange 2013 internet facing server with both client access and mailbox roles.  Any help would be appreciated.  I'm really unsure where to start.
0
Comment
Question by:Ninja03
  • 2
  • 2
4 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
This Warning event indicates that there is a problem loading a certificate to be used for STARTTLS purposes. Generally, this problem occurs if one or both of the following conditions is true:
The fully qualified domain name (FQDN) that is specified in the Warning event has been defined on a Receive connector or Send connector on a Microsoft Exchange transport server, and no certificate is installed on the same computer that contains the FQDN in the Subject or Subject Alternative Name fields.
A third-party or custom certificate has been installed on the server and it contains a matching FQDN. However, the certificate is not enabled for the SMTP service.
Transport Layer Security (TLS) functionality requires that a valid certificate is installed in the computer's personal certificate store.

You can take action mentioned in below article
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12014&EvtSrc=MSExchangeTransport

http://www.petenetlive.com/KB/Article/0000174.htm

You can disable unnecessary receive connectors on Exchange 2007

Mahesh
0
 

Author Comment

by:Ninja03
Comment Utility
I've disabled the send connectors on the 2007 machine.  Following the article that you posted I've set the "Client Frontend servername" connector to the FQDN of "mail.mycompany.com"

However, when I try and set the other receive connectors to the FQDN "mail.mycompany.com" i get the following error:

If the AuthMechanism attribute on a Receive connector contains the value ExchangeServer, you must set the FQDN parameter on the Receive connector to one of the following values: the FQDN of the transport server "servername.mycompany.com", the NetBIOS name of the transport server "Servername", or $null.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
You are getting error while renaming FQDN on default receive connector ?
Normally its not good practise to rename FQDN of default receive connector if you have multiple transport servers as it affects the internal mail routing.
In your case you have only one exchange 2013 server.
Try below
You could request new certificate from internal CA server with the hostname (FQDN) mentioned in error as certificate common name and assign it to SMTP service

This should hopefully resolve your problem

Mahesh
0
 

Author Comment

by:Ninja03
Comment Utility
I will give this a try today.  Thank you
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Why is a PSO not being set for users 2 23
Internet Cafe Software 1 70
Can't send mail from centos 7 5 81
Discover threat mail 20 77
If you can connect to your internal network or can connect to your router but are not able to connect to the Internet follow these steps in order until the problem is resolved.   1. Right click on the network icon on the task bar and select "Troub…
The biggest nightmare for any Exchange Server Administrator is to keep the server running without any issue. But the problems often come and they need to be resolved efficiently and timely. Here are important troubleshooting points: Define the Pr…
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now