Solved

Mac Mail trying to use old self-signed certificate

Posted on 2014-01-15
7
395 Views
Last Modified: 2014-06-26
There is a third party GoDaddy SSL certificate on the Exchange 2007 server (which is SBS 2008).  It has been working fine for years (yearly renewal).  This year I renewed it for three years, and because of the coming changes, I could not include the local server name in the alternate names.  I believe I have every part of Exchange / IIS referring only to the external URL for the domain, and for a month everything has been working fine.  Today, a user with Mac Mail opened the application and got an expired certificate warning - and it was trying to use the self-signed Sites certificate which expired in 2012.  I ran get-ExchangeCertificate and saw that SMTP was an assigned service for that certificate as well as for the GoDaddy certificate.  I'm not sure but I don't think that was the case before.  But anyway, I can't change the services to "none" - the command runs but doesn't change anything.  I am not sure whether to renew or remove the Sites certificate - it's been expired for over a year, so it must not be needed for anything, but I also know SBS gets picky about the way things are set up.  And mostly, I have no idea why this computer suddenly decided it wanted to use that certificate instead of the valid GoDaddy certificate.  I did run a test of the SSL certificate through SSLShopper and it passes with no issues.  Any thoughts would be appreciated!
0
Comment
Question by:landiiiks2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39783608
Having multiple certificates with the SMTP function is fine. Perfectly normal, particularly as you cannot have internal names on the certificate.
If you have just the two certificates (Sites and your trusted one) then I would start by running new-exchangecertificate (no parameters) to create a new self signed internal transport certificate.

The next thing you should do is an Autodiscover test to confirm that you have caught everything. The important bit here is the bindings on the web sites, as SBS has multiple web sites involved.

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39833965
I did run the command to create the new certificate, but the user is still getting the warning for the expired Sites certificate.  It still allows him to send and receive mail, but every time he opens MacMail he gets the warning.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39838343
Sites is another part of SBS. That would tend to suggest the bindings are not correct within SBS (SBS 2008 does the web sites on the server in a very odd way).

Run the fix my network wizard in the SBS console and see what that flags up.

Simon.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:landiiiks2
ID: 39922456
I still can't find anything referring to Sites.  Very frustrating.  It isn't stopping mail, but it is an annoyance.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39924425
If you run get-exchangecertificate on the Exchange server, so you see a certificate called "Sites" ?
If so, what services is it bound to?

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39925460
There is a Sites certificate and it is bound to SMTP but it is expired (long since).  I tried to remove SMTP as a service but it didn't do it.  But everything should be looking to the GoDaddy certificate.  But I'm reluctant to just remove the Sites certificate in case I break something.  And I'm not sure why this issue has just popped up when the certificate expired long ago.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39926910
Is it bound to SMTP only?
When you tried to remove it, did it say something about it being the "default" certificate?
If so, run

new-exchangecertificate

No switches or anything. When you get the prompt about replacing the default SMTP certificate, say yes.

You should then be able to remove the Sites certificate.

Is it an old version of Mac Mail that doesn't use web services, but wants to send by SMTP? If so that could be the cause.

Simon.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PHP contact form that lets the user to contact the company through email contact form. A button is fixed at the bottom of site, on clicking a new window will open where a user can send the email.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video discusses moving either the default database or any database to a new volume.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question