Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

TLS Certificate Error in Exchange

Posted on 2014-03-07
7
Medium Priority
?
3,038 Views
Last Modified: 2014-03-13
I noticed recently in the Event Viewer that there are a number or errors with the source MSExchangeTransport. It is usually just 2 errors but they show up every 5 minutes and have the IDs of 12015 and 12016. Below are descriptions. Mail seems to be going out ok so I'm not sure what the issue is.


12015
An internal transport certificate expired. Thumbprint:2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E

12016
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of domain.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of domain.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
0
Comment
Question by:itmoonlighter
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 9

Expert Comment

by:Ahmed786
ID: 39912824
If you arent using a 3rd party cert, you can simply run new-exchangecertificate and it will create a new one for you with a self-signed cert.

To check the certificate information of the Exchange server, we can run the following command: Get-exchangecertificate |fl
To check if the certificate is valid, we can check the property status.
To check the host names, we can check the property CertifictaeDomains.
To check if it’s a self-signed certificate, we can check the property IsSelfSigned.
To check if it’s a 3rd party, we can check the property Issuer.

Additionally, here are more references about the errors:
Event 12015
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12015&EvtSrc=MSExchangeTransport
Event 12016
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12016&EvtSrc=MSExchangeTransport
0
 
LVL 9

Accepted Solution

by:
Ahmed786 earned 2000 total points
ID: 39912836
Simply you can execute below command and it may resolve your query.

1. Open "Exchange Management Shell".
 
2. Write "get-ExchangeCertificate" and press on "Enter" button.
 
3. Write down the Thumbprint of the certificate that reflect the required FQDN name of the server.
 
4. Review the current certificate that use by the Exchange server and
 
         each certificate function.
 
5. Write "Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"
 
       and press on 'Enter" button.
 

•The value of -Thumbprint obtained in stage 3.

 
6. Restart the Exchange server.
0
 

Author Comment

by:itmoonlighter
ID: 39912889
I don't believe it's issued by a 3rd party. I found the certificate that had the thumbprint that's getting an error in the logs and pasted the details below.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, servername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-servername-CA
NotAfter           : 12/4/2013 1:29:32 PM
NotBefore          : 12/5/2011 1:29:32 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61038703000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39912904
Just create a new certificate using new-exchangecertificate
That will be suitable for transport use.
Then remove the old certificates using remove-exchangecertificate

I don't see any point in cloning the old certificate.

If you are using Outlook Anywhere or ActiveSync then you should have a trusted certificate on the server.

Simon.
0
 

Author Comment

by:itmoonlighter
ID: 39912913
We are using ActiveSync and have a certificate from Go Daddy. It won't effect that, will it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39913240
If you do exactly what I have said, then no.
The new certificate is only enabled for SMTP, which is used by TLS.

Although if you have a trusted SSL certificate from GoDaddy then you should only have one certificate with "I" in services when you run get-exchangecertificate - your trusted one.

Simon.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39914539
You should be able to fix this simply by running the Fix my network wizard on the SBS console
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
This video discusses moving either the default database or any database to a new volume.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question