Solved

Mac Mail trying to use old self-signed certificate

Posted on 2014-01-15
7
390 Views
Last Modified: 2014-06-26
There is a third party GoDaddy SSL certificate on the Exchange 2007 server (which is SBS 2008).  It has been working fine for years (yearly renewal).  This year I renewed it for three years, and because of the coming changes, I could not include the local server name in the alternate names.  I believe I have every part of Exchange / IIS referring only to the external URL for the domain, and for a month everything has been working fine.  Today, a user with Mac Mail opened the application and got an expired certificate warning - and it was trying to use the self-signed Sites certificate which expired in 2012.  I ran get-ExchangeCertificate and saw that SMTP was an assigned service for that certificate as well as for the GoDaddy certificate.  I'm not sure but I don't think that was the case before.  But anyway, I can't change the services to "none" - the command runs but doesn't change anything.  I am not sure whether to renew or remove the Sites certificate - it's been expired for over a year, so it must not be needed for anything, but I also know SBS gets picky about the way things are set up.  And mostly, I have no idea why this computer suddenly decided it wanted to use that certificate instead of the valid GoDaddy certificate.  I did run a test of the SSL certificate through SSLShopper and it passes with no issues.  Any thoughts would be appreciated!
0
Comment
Question by:landiiiks2
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39783608
Having multiple certificates with the SMTP function is fine. Perfectly normal, particularly as you cannot have internal names on the certificate.
If you have just the two certificates (Sites and your trusted one) then I would start by running new-exchangecertificate (no parameters) to create a new self signed internal transport certificate.

The next thing you should do is an Autodiscover test to confirm that you have caught everything. The important bit here is the bindings on the web sites, as SBS has multiple web sites involved.

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39833965
I did run the command to create the new certificate, but the user is still getting the warning for the expired Sites certificate.  It still allows him to send and receive mail, but every time he opens MacMail he gets the warning.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39838343
Sites is another part of SBS. That would tend to suggest the bindings are not correct within SBS (SBS 2008 does the web sites on the server in a very odd way).

Run the fix my network wizard in the SBS console and see what that flags up.

Simon.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:landiiiks2
ID: 39922456
I still can't find anything referring to Sites.  Very frustrating.  It isn't stopping mail, but it is an annoyance.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39924425
If you run get-exchangecertificate on the Exchange server, so you see a certificate called "Sites" ?
If so, what services is it bound to?

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39925460
There is a Sites certificate and it is bound to SMTP but it is expired (long since).  I tried to remove SMTP as a service but it didn't do it.  But everything should be looking to the GoDaddy certificate.  But I'm reluctant to just remove the Sites certificate in case I break something.  And I'm not sure why this issue has just popped up when the certificate expired long ago.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39926910
Is it bound to SMTP only?
When you tried to remove it, did it say something about it being the "default" certificate?
If so, run

new-exchangecertificate

No switches or anything. When you get the prompt about replacing the default SMTP certificate, say yes.

You should then be able to remove the Sites certificate.

Is it an old version of Mac Mail that doesn't use web services, but wants to send by SMTP? If so that could be the cause.

Simon.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question