Solved

TLS Certificate Error in Exchange

Posted on 2014-03-07
7
2,355 Views
Last Modified: 2014-03-13
I noticed recently in the Event Viewer that there are a number or errors with the source MSExchangeTransport. It is usually just 2 errors but they show up every 5 minutes and have the IDs of 12015 and 12016. Below are descriptions. Mail seems to be going out ok so I'm not sure what the issue is.


12015
An internal transport certificate expired. Thumbprint:2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E

12016
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of domain.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of domain.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
0
Comment
Question by:itmoonlighter
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 9

Expert Comment

by:Ahmed786
Comment Utility
If you arent using a 3rd party cert, you can simply run new-exchangecertificate and it will create a new one for you with a self-signed cert.

To check the certificate information of the Exchange server, we can run the following command: Get-exchangecertificate |fl
To check if the certificate is valid, we can check the property status.
To check the host names, we can check the property CertifictaeDomains.
To check if it’s a self-signed certificate, we can check the property IsSelfSigned.
To check if it’s a 3rd party, we can check the property Issuer.

Additionally, here are more references about the errors:
Event 12015
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12015&EvtSrc=MSExchangeTransport
Event 12016
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12016&EvtSrc=MSExchangeTransport
0
 
LVL 9

Accepted Solution

by:
Ahmed786 earned 500 total points
Comment Utility
Simply you can execute below command and it may resolve your query.

1. Open "Exchange Management Shell".
 
2. Write "get-ExchangeCertificate" and press on "Enter" button.
 
3. Write down the Thumbprint of the certificate that reflect the required FQDN name of the server.
 
4. Review the current certificate that use by the Exchange server and
 
         each certificate function.
 
5. Write "Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"
 
       and press on 'Enter" button.
 

•The value of -Thumbprint obtained in stage 3.

 
6. Restart the Exchange server.
0
 

Author Comment

by:itmoonlighter
Comment Utility
I don't believe it's issued by a 3rd party. I found the certificate that had the thumbprint that's getting an error in the logs and pasted the details below.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, servername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-servername-CA
NotAfter           : 12/4/2013 1:29:32 PM
NotBefore          : 12/5/2011 1:29:32 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61038703000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Just create a new certificate using new-exchangecertificate
That will be suitable for transport use.
Then remove the old certificates using remove-exchangecertificate

I don't see any point in cloning the old certificate.

If you are using Outlook Anywhere or ActiveSync then you should have a trusted certificate on the server.

Simon.
0
 

Author Comment

by:itmoonlighter
Comment Utility
We are using ActiveSync and have a certificate from Go Daddy. It won't effect that, will it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If you do exactly what I have said, then no.
The new certificate is only enabled for SMTP, which is used by TLS.

Although if you have a trusted SSL certificate from GoDaddy then you should only have one certificate with "I" in services when you run get-exchangecertificate - your trusted one.

Simon.
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
You should be able to fix this simply by running the Fix my network wizard on the SBS console
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now