Solved

TLS Certificate Error in Exchange

Posted on 2014-03-07
7
2,538 Views
Last Modified: 2014-03-13
I noticed recently in the Event Viewer that there are a number or errors with the source MSExchangeTransport. It is usually just 2 errors but they show up every 5 minutes and have the IDs of 12015 and 12016. Below are descriptions. Mail seems to be going out ok so I'm not sure what the issue is.


12015
An internal transport certificate expired. Thumbprint:2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E

12016
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of domain.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of domain.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
0
Comment
Question by:itmoonlighter
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 9

Expert Comment

by:Ahmed786
ID: 39912824
If you arent using a 3rd party cert, you can simply run new-exchangecertificate and it will create a new one for you with a self-signed cert.

To check the certificate information of the Exchange server, we can run the following command: Get-exchangecertificate |fl
To check if the certificate is valid, we can check the property status.
To check the host names, we can check the property CertifictaeDomains.
To check if it’s a self-signed certificate, we can check the property IsSelfSigned.
To check if it’s a 3rd party, we can check the property Issuer.

Additionally, here are more references about the errors:
Event 12015
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12015&EvtSrc=MSExchangeTransport
Event 12016
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12016&EvtSrc=MSExchangeTransport
0
 
LVL 9

Accepted Solution

by:
Ahmed786 earned 500 total points
ID: 39912836
Simply you can execute below command and it may resolve your query.

1. Open "Exchange Management Shell".
 
2. Write "get-ExchangeCertificate" and press on "Enter" button.
 
3. Write down the Thumbprint of the certificate that reflect the required FQDN name of the server.
 
4. Review the current certificate that use by the Exchange server and
 
         each certificate function.
 
5. Write "Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"
 
       and press on 'Enter" button.
 

•The value of -Thumbprint obtained in stage 3.

 
6. Restart the Exchange server.
0
 

Author Comment

by:itmoonlighter
ID: 39912889
I don't believe it's issued by a 3rd party. I found the certificate that had the thumbprint that's getting an error in the logs and pasted the details below.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, servername.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-servername-CA
NotAfter           : 12/4/2013 1:29:32 PM
NotBefore          : 12/5/2011 1:29:32 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 61038703000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 2649DA2E6EDFDE9F89021FCAE03EA420FE74A11E
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39912904
Just create a new certificate using new-exchangecertificate
That will be suitable for transport use.
Then remove the old certificates using remove-exchangecertificate

I don't see any point in cloning the old certificate.

If you are using Outlook Anywhere or ActiveSync then you should have a trusted certificate on the server.

Simon.
0
 

Author Comment

by:itmoonlighter
ID: 39912913
We are using ActiveSync and have a certificate from Go Daddy. It won't effect that, will it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39913240
If you do exactly what I have said, then no.
The new certificate is only enabled for SMTP, which is used by TLS.

Although if you have a trusted SSL certificate from GoDaddy then you should only have one certificate with "I" in services when you run get-exchangecertificate - your trusted one.

Simon.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39914539
You should be able to fix this simply by running the Fix my network wizard on the SBS console
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question