Solved

TLS Certificate Error in Exchange

Posted on 2014-03-07
7
2,832 Views
Last Modified: 2014-03-13
I noticed recently in the Event Viewer that there are a number or errors with the source MSExchangeTransport. It is usually just 2 errors but they show up every 5 minutes and have the IDs of 12015 and 12016. Below are descriptions. Mail seems to be going out ok so I'm not sure what the issue is.


12015
An internal transport certificate expired. Thumbprint:2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E

12016
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of domain.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of domain.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
0
Comment
Question by:itmoonlighter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 9

Expert Comment

by:Ahmed786
ID: 39912824
If you arent using a 3rd party cert, you can simply run new-exchangecertificate and it will create a new one for you with a self-signed cert.

To check the certificate information of the Exchange server, we can run the following command: Get-exchangecertificate |fl
To check if the certificate is valid, we can check the property status.
To check the host names, we can check the property CertifictaeDomains.
To check if it’s a self-signed certificate, we can check the property IsSelfSigned.
To check if it’s a 3rd party, we can check the property Issuer.

Additionally, here are more references about the errors:
Event 12015
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12015&EvtSrc=MSExchangeTransport
Event 12016
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12016&EvtSrc=MSExchangeTransport
0
 
LVL 9

Accepted Solution

by:
Ahmed786 earned 500 total points
ID: 39912836
Simply you can execute below command and it may resolve your query.

1. Open "Exchange Management Shell".
 
2. Write "get-ExchangeCertificate" and press on "Enter" button.
 
3. Write down the Thumbprint of the certificate that reflect the required FQDN name of the server.
 
4. Review the current certificate that use by the Exchange server and
 
         each certificate function.
 
5. Write "Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"
 
       and press on 'Enter" button.
 

•The value of -Thumbprint obtained in stage 3.

 
6. Restart the Exchange server.
0
 

Author Comment

by:itmoonlighter
ID: 39912889
I don't believe it's issued by a 3rd party. I found the certificate that had the thumbprint that's getting an error in the logs and pasted the details below.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, servername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-servername-CA
NotAfter           : 12/4/2013 1:29:32 PM
NotBefore          : 12/5/2011 1:29:32 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61038703000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39912904
Just create a new certificate using new-exchangecertificate
That will be suitable for transport use.
Then remove the old certificates using remove-exchangecertificate

I don't see any point in cloning the old certificate.

If you are using Outlook Anywhere or ActiveSync then you should have a trusted certificate on the server.

Simon.
0
 

Author Comment

by:itmoonlighter
ID: 39912913
We are using ActiveSync and have a certificate from Go Daddy. It won't effect that, will it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39913240
If you do exactly what I have said, then no.
The new certificate is only enabled for SMTP, which is used by TLS.

Although if you have a trusted SSL certificate from GoDaddy then you should only have one certificate with "I" in services when you run get-exchangecertificate - your trusted one.

Simon.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39914539
You should be able to fix this simply by running the Fix my network wizard on the SBS console
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses
Course of the Month4 days, 21 hours left to enroll

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question