Solved

Exchange 2010 SSL wrong certificate

Posted on 2014-04-01
15
449 Views
Last Modified: 2014-04-10
Have Exchange 2010, all the SPs and RUs. Three days ago all of our mobile devices stopped connecting to e-mail. However, Outlook and OWA are working fine.

Error on device is "Cannot connect to server"

Ran the connectivity analyzer and below is the error.

I have a valid SSL certificate that expires in 2017. In the error, the SSL Certificate that is being pointed to is not ours. The site "rogansmemorials" is a valid place where we purchased flowers for a staff member, but we are in no way related to it. Somehow their SSL certificate has taken the place of ours.

How do I fix this?

---------------------------------------------------

Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.ourwebsite.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

Additional Details
Remote Certificate Subject: CN=www.rogansmemorials.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT84814419, O=www.rogansmemorials.com, C=US, SERIALNUMBER=fIZeLP-K7AU7ugSbLxM7c9vf33vaZ0Fl, Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US.

Validating the certificate name.
Certificate name validation failed.

Additional Details
Host name autodiscover.ourwebsite.com doesn't match any name found on the server certificate CN=www.rogansmemorials.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT84814419, O=www.rogansmemorials.com, C=US, SERIALNUMBER=fIZeLP-K7AU7ugSbLxM7c9vf33vaZ0Fl.

--------------------------------------------------
0
Comment
Question by:SECC_IT
  • 6
  • 5
  • 4
15 Comments
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39969860
Chat with rapidssl people.   They'll be able to help you.
0
 

Author Comment

by:SECC_IT
ID: 39969904
I did contact RapidSSL and they said that certificate expired in 2012.

Isn't there a place somewhere on the server where I can fix this?
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39969968
You have to go into exchange management console and click on Server Configuration. You can see your SSL certs there.  Do you see any expired certs in there?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:SECC_IT
ID: 39969993
No. And my GoDaddy one is there and valid.
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39970008
Use this site to test your urls.  This is really strange.

https://www.geocerts.com/ssl_checker
0
 

Author Comment

by:SECC_IT
ID: 39970056
Okay this just got weirder. I ran our mailserver URL mail.ourwebsite.com and it came back with this, which is ALSO wrong!!! FYI, we JUST had a Mitel phone system put in. Yes, I've contacted that vendor.

------------------------------------------
SSL Server Certificate

 Common Name: Mitel5000
 Issuing CA: mitel.com
 Organization: Mitel Networks Corporation
 Valid from February 26, 2014 to February 25, 2017
 Key Size: 1024 bits
--------------------------------------------

However, how do I let my Exchange server know to use our valid, existing SSL certificate?
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39970101
Did Mitel have admin access? They might have tied in voice mails into exchange and made some changes.  I believe it's under Unity on exchange.  Not sure if that's Cisco only though.

Try to ping your urls and see what IP they go to.  Someone might have changed them in your domain register under advanced dns.
0
 

Author Comment

by:SECC_IT
ID: 39970182
Pings are fine. GoDaddy had me reinstall the certificate, which I did. However, when I run the MS connectivity, I get the rogansmemorials again, and when I run the GeoCerts SSL checker, I get the Mitel thing.

I am truly totally flummoxed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970195
Has your Autodiscover A record been pointed to a different IP Address?

Have any of your DNS records been updated / amended recently?

Has your firewall been amended recently to forward ports to another device / server (such as the phone system)?

Alan
0
 

Author Comment

by:SECC_IT
ID: 39970272
Autodiscover A record points to the IP address of my exchange server.

No on the DNS thing.

YES on number three though. I went into the SonicWall and removed all the changes I made (they weren't doing what I needed anyway).  

The results: I now pass the GeoCerts test, but when I run the MS Connectivity Analyzer, it sill refers to that rogansmemorials site.

Therefore, devices are still unable to connect to exchange.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970354
Okay - on the server can you visit www.canyouseeme.org and test port 443 to check that it is open and forwarded properly.

If you see SUCCESS, then it's good news.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970367
And for giggles - does www.whatismyip.com show you the IP Address you expect to be seeing?
0
 

Author Comment

by:SECC_IT
ID: 39970405
Yes, all good on both of those. Wow, cool websites!

So, I contacted my webhost and explained the issue to him. He checked HIS DNS servers and found that our autodiscover was pointing to the server that hosts our WEBSITE, not the mail server. So he fixed that and after I let the obligatory time pass, I'll check and see if that fixed it.

I'll post what happens here tomorrow.
0
 
LVL 6

Assisted Solution

by:Ryan Smith
Ryan Smith earned 250 total points
ID: 39970413
My answer might have been right to check your dns :)  "Someone might have changed them in your domain register under advanced dns."
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 39970420
Where is your DNS managed?  At the webhost?

If that is the case, then sounds like it should be fixed, but only time will tell.

If you visit www.whois.com/whois/add_your_domain_name_here.com you should see the DNS servers that manage your Domain Name and that is where the world will got to find your website / DNS records, so if that is your webhost, then it's looking good.

Alan
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question