Solved

Mac Mail trying to use old self-signed certificate

Posted on 2014-01-15
7
392 Views
Last Modified: 2014-06-26
There is a third party GoDaddy SSL certificate on the Exchange 2007 server (which is SBS 2008).  It has been working fine for years (yearly renewal).  This year I renewed it for three years, and because of the coming changes, I could not include the local server name in the alternate names.  I believe I have every part of Exchange / IIS referring only to the external URL for the domain, and for a month everything has been working fine.  Today, a user with Mac Mail opened the application and got an expired certificate warning - and it was trying to use the self-signed Sites certificate which expired in 2012.  I ran get-ExchangeCertificate and saw that SMTP was an assigned service for that certificate as well as for the GoDaddy certificate.  I'm not sure but I don't think that was the case before.  But anyway, I can't change the services to "none" - the command runs but doesn't change anything.  I am not sure whether to renew or remove the Sites certificate - it's been expired for over a year, so it must not be needed for anything, but I also know SBS gets picky about the way things are set up.  And mostly, I have no idea why this computer suddenly decided it wanted to use that certificate instead of the valid GoDaddy certificate.  I did run a test of the SSL certificate through SSLShopper and it passes with no issues.  Any thoughts would be appreciated!
0
Comment
Question by:landiiiks2
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39783608
Having multiple certificates with the SMTP function is fine. Perfectly normal, particularly as you cannot have internal names on the certificate.
If you have just the two certificates (Sites and your trusted one) then I would start by running new-exchangecertificate (no parameters) to create a new self signed internal transport certificate.

The next thing you should do is an Autodiscover test to confirm that you have caught everything. The important bit here is the bindings on the web sites, as SBS has multiple web sites involved.

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39833965
I did run the command to create the new certificate, but the user is still getting the warning for the expired Sites certificate.  It still allows him to send and receive mail, but every time he opens MacMail he gets the warning.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39838343
Sites is another part of SBS. That would tend to suggest the bindings are not correct within SBS (SBS 2008 does the web sites on the server in a very odd way).

Run the fix my network wizard in the SBS console and see what that flags up.

Simon.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:landiiiks2
ID: 39922456
I still can't find anything referring to Sites.  Very frustrating.  It isn't stopping mail, but it is an annoyance.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39924425
If you run get-exchangecertificate on the Exchange server, so you see a certificate called "Sites" ?
If so, what services is it bound to?

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39925460
There is a Sites certificate and it is bound to SMTP but it is expired (long since).  I tried to remove SMTP as a service but it didn't do it.  But everything should be looking to the GoDaddy certificate.  But I'm reluctant to just remove the Sites certificate in case I break something.  And I'm not sure why this issue has just popped up when the certificate expired long ago.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39926910
Is it bound to SMTP only?
When you tried to remove it, did it say something about it being the "default" certificate?
If so, run

new-exchangecertificate

No switches or anything. When you get the prompt about replacing the default SMTP certificate, say yes.

You should then be able to remove the Sites certificate.

Is it an old version of Mac Mail that doesn't use web services, but wants to send by SMTP? If so that could be the cause.

Simon.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
Read this checklist to learn more about the 15 things you should never include in an email signature.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question