?
Solved

Mac Mail trying to use old self-signed certificate

Posted on 2014-01-15
7
Medium Priority
?
400 Views
Last Modified: 2014-06-26
There is a third party GoDaddy SSL certificate on the Exchange 2007 server (which is SBS 2008).  It has been working fine for years (yearly renewal).  This year I renewed it for three years, and because of the coming changes, I could not include the local server name in the alternate names.  I believe I have every part of Exchange / IIS referring only to the external URL for the domain, and for a month everything has been working fine.  Today, a user with Mac Mail opened the application and got an expired certificate warning - and it was trying to use the self-signed Sites certificate which expired in 2012.  I ran get-ExchangeCertificate and saw that SMTP was an assigned service for that certificate as well as for the GoDaddy certificate.  I'm not sure but I don't think that was the case before.  But anyway, I can't change the services to "none" - the command runs but doesn't change anything.  I am not sure whether to renew or remove the Sites certificate - it's been expired for over a year, so it must not be needed for anything, but I also know SBS gets picky about the way things are set up.  And mostly, I have no idea why this computer suddenly decided it wanted to use that certificate instead of the valid GoDaddy certificate.  I did run a test of the SSL certificate through SSLShopper and it passes with no issues.  Any thoughts would be appreciated!
0
Comment
Question by:landiiiks2
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39783608
Having multiple certificates with the SMTP function is fine. Perfectly normal, particularly as you cannot have internal names on the certificate.
If you have just the two certificates (Sites and your trusted one) then I would start by running new-exchangecertificate (no parameters) to create a new self signed internal transport certificate.

The next thing you should do is an Autodiscover test to confirm that you have caught everything. The important bit here is the bindings on the web sites, as SBS has multiple web sites involved.

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39833965
I did run the command to create the new certificate, but the user is still getting the warning for the expired Sites certificate.  It still allows him to send and receive mail, but every time he opens MacMail he gets the warning.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39838343
Sites is another part of SBS. That would tend to suggest the bindings are not correct within SBS (SBS 2008 does the web sites on the server in a very odd way).

Run the fix my network wizard in the SBS console and see what that flags up.

Simon.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:landiiiks2
ID: 39922456
I still can't find anything referring to Sites.  Very frustrating.  It isn't stopping mail, but it is an annoyance.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39924425
If you run get-exchangecertificate on the Exchange server, so you see a certificate called "Sites" ?
If so, what services is it bound to?

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39925460
There is a Sites certificate and it is bound to SMTP but it is expired (long since).  I tried to remove SMTP as a service but it didn't do it.  But everything should be looking to the GoDaddy certificate.  But I'm reluctant to just remove the Sites certificate in case I break something.  And I'm not sure why this issue has just popped up when the certificate expired long ago.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39926910
Is it bound to SMTP only?
When you tried to remove it, did it say something about it being the "default" certificate?
If so, run

new-exchangecertificate

No switches or anything. When you get the prompt about replacing the default SMTP certificate, say yes.

You should then be able to remove the Sites certificate.

Is it an old version of Mac Mail that doesn't use web services, but wants to send by SMTP? If so that could be the cause.

Simon.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question