Solved

Mac Mail trying to use old self-signed certificate

Posted on 2014-01-15
7
389 Views
Last Modified: 2014-06-26
There is a third party GoDaddy SSL certificate on the Exchange 2007 server (which is SBS 2008).  It has been working fine for years (yearly renewal).  This year I renewed it for three years, and because of the coming changes, I could not include the local server name in the alternate names.  I believe I have every part of Exchange / IIS referring only to the external URL for the domain, and for a month everything has been working fine.  Today, a user with Mac Mail opened the application and got an expired certificate warning - and it was trying to use the self-signed Sites certificate which expired in 2012.  I ran get-ExchangeCertificate and saw that SMTP was an assigned service for that certificate as well as for the GoDaddy certificate.  I'm not sure but I don't think that was the case before.  But anyway, I can't change the services to "none" - the command runs but doesn't change anything.  I am not sure whether to renew or remove the Sites certificate - it's been expired for over a year, so it must not be needed for anything, but I also know SBS gets picky about the way things are set up.  And mostly, I have no idea why this computer suddenly decided it wanted to use that certificate instead of the valid GoDaddy certificate.  I did run a test of the SSL certificate through SSLShopper and it passes with no issues.  Any thoughts would be appreciated!
0
Comment
Question by:landiiiks2
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39783608
Having multiple certificates with the SMTP function is fine. Perfectly normal, particularly as you cannot have internal names on the certificate.
If you have just the two certificates (Sites and your trusted one) then I would start by running new-exchangecertificate (no parameters) to create a new self signed internal transport certificate.

The next thing you should do is an Autodiscover test to confirm that you have caught everything. The important bit here is the bindings on the web sites, as SBS has multiple web sites involved.

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39833965
I did run the command to create the new certificate, but the user is still getting the warning for the expired Sites certificate.  It still allows him to send and receive mail, but every time he opens MacMail he gets the warning.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39838343
Sites is another part of SBS. That would tend to suggest the bindings are not correct within SBS (SBS 2008 does the web sites on the server in a very odd way).

Run the fix my network wizard in the SBS console and see what that flags up.

Simon.
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 

Author Comment

by:landiiiks2
ID: 39922456
I still can't find anything referring to Sites.  Very frustrating.  It isn't stopping mail, but it is an annoyance.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39924425
If you run get-exchangecertificate on the Exchange server, so you see a certificate called "Sites" ?
If so, what services is it bound to?

Simon.
0
 

Author Comment

by:landiiiks2
ID: 39925460
There is a Sites certificate and it is bound to SMTP but it is expired (long since).  I tried to remove SMTP as a service but it didn't do it.  But everything should be looking to the GoDaddy certificate.  But I'm reluctant to just remove the Sites certificate in case I break something.  And I'm not sure why this issue has just popped up when the certificate expired long ago.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39926910
Is it bound to SMTP only?
When you tried to remove it, did it say something about it being the "default" certificate?
If so, run

new-exchangecertificate

No switches or anything. When you get the prompt about replacing the default SMTP certificate, say yes.

You should then be able to remove the Sites certificate.

Is it an old version of Mac Mail that doesn't use web services, but wants to send by SMTP? If so that could be the cause.

Simon.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
how to add IIS SMTP to handle application/Scanner relays into office 365.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now