Solved

Exchange 2010 SSL wrong certificate

Posted on 2014-04-01
15
444 Views
Last Modified: 2014-04-10
Have Exchange 2010, all the SPs and RUs. Three days ago all of our mobile devices stopped connecting to e-mail. However, Outlook and OWA are working fine.

Error on device is "Cannot connect to server"

Ran the connectivity analyzer and below is the error.

I have a valid SSL certificate that expires in 2017. In the error, the SSL Certificate that is being pointed to is not ours. The site "rogansmemorials" is a valid place where we purchased flowers for a staff member, but we are in no way related to it. Somehow their SSL certificate has taken the place of ours.

How do I fix this?

---------------------------------------------------

Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.ourwebsite.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

Additional Details
Remote Certificate Subject: CN=www.rogansmemorials.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT84814419, O=www.rogansmemorials.com, C=US, SERIALNUMBER=fIZeLP-K7AU7ugSbLxM7c9vf33vaZ0Fl, Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US.

Validating the certificate name.
Certificate name validation failed.

Additional Details
Host name autodiscover.ourwebsite.com doesn't match any name found on the server certificate CN=www.rogansmemorials.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT84814419, O=www.rogansmemorials.com, C=US, SERIALNUMBER=fIZeLP-K7AU7ugSbLxM7c9vf33vaZ0Fl.

--------------------------------------------------
0
Comment
Question by:SECC_IT
  • 6
  • 5
  • 4
15 Comments
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39969860
Chat with rapidssl people.   They'll be able to help you.
0
 

Author Comment

by:SECC_IT
ID: 39969904
I did contact RapidSSL and they said that certificate expired in 2012.

Isn't there a place somewhere on the server where I can fix this?
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39969968
You have to go into exchange management console and click on Server Configuration. You can see your SSL certs there.  Do you see any expired certs in there?
0
 

Author Comment

by:SECC_IT
ID: 39969993
No. And my GoDaddy one is there and valid.
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39970008
Use this site to test your urls.  This is really strange.

https://www.geocerts.com/ssl_checker
0
 

Author Comment

by:SECC_IT
ID: 39970056
Okay this just got weirder. I ran our mailserver URL mail.ourwebsite.com and it came back with this, which is ALSO wrong!!! FYI, we JUST had a Mitel phone system put in. Yes, I've contacted that vendor.

------------------------------------------
SSL Server Certificate

 Common Name: Mitel5000
 Issuing CA: mitel.com
 Organization: Mitel Networks Corporation
 Valid from February 26, 2014 to February 25, 2017
 Key Size: 1024 bits
--------------------------------------------

However, how do I let my Exchange server know to use our valid, existing SSL certificate?
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39970101
Did Mitel have admin access? They might have tied in voice mails into exchange and made some changes.  I believe it's under Unity on exchange.  Not sure if that's Cisco only though.

Try to ping your urls and see what IP they go to.  Someone might have changed them in your domain register under advanced dns.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:SECC_IT
ID: 39970182
Pings are fine. GoDaddy had me reinstall the certificate, which I did. However, when I run the MS connectivity, I get the rogansmemorials again, and when I run the GeoCerts SSL checker, I get the Mitel thing.

I am truly totally flummoxed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970195
Has your Autodiscover A record been pointed to a different IP Address?

Have any of your DNS records been updated / amended recently?

Has your firewall been amended recently to forward ports to another device / server (such as the phone system)?

Alan
0
 

Author Comment

by:SECC_IT
ID: 39970272
Autodiscover A record points to the IP address of my exchange server.

No on the DNS thing.

YES on number three though. I went into the SonicWall and removed all the changes I made (they weren't doing what I needed anyway).  

The results: I now pass the GeoCerts test, but when I run the MS Connectivity Analyzer, it sill refers to that rogansmemorials site.

Therefore, devices are still unable to connect to exchange.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970354
Okay - on the server can you visit www.canyouseeme.org and test port 443 to check that it is open and forwarded properly.

If you see SUCCESS, then it's good news.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970367
And for giggles - does www.whatismyip.com show you the IP Address you expect to be seeing?
0
 

Author Comment

by:SECC_IT
ID: 39970405
Yes, all good on both of those. Wow, cool websites!

So, I contacted my webhost and explained the issue to him. He checked HIS DNS servers and found that our autodiscover was pointing to the server that hosts our WEBSITE, not the mail server. So he fixed that and after I let the obligatory time pass, I'll check and see if that fixed it.

I'll post what happens here tomorrow.
0
 
LVL 6

Assisted Solution

by:Ryan Smith
Ryan Smith earned 250 total points
ID: 39970413
My answer might have been right to check your dns :)  "Someone might have changed them in your domain register under advanced dns."
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 39970420
Where is your DNS managed?  At the webhost?

If that is the case, then sounds like it should be fixed, but only time will tell.

If you visit www.whois.com/whois/add_your_domain_name_here.com you should see the DNS servers that manage your Domain Name and that is where the world will got to find your website / DNS records, so if that is your webhost, then it's looking good.

Alan
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now