Exchange 2010 SSL wrong certificate

Have Exchange 2010, all the SPs and RUs. Three days ago all of our mobile devices stopped connecting to e-mail. However, Outlook and OWA are working fine.

Error on device is "Cannot connect to server"

Ran the connectivity analyzer and below is the error.

I have a valid SSL certificate that expires in 2017. In the error, the SSL Certificate that is being pointed to is not ours. The site "rogansmemorials" is a valid place where we purchased flowers for a staff member, but we are in no way related to it. Somehow their SSL certificate has taken the place of ours.

How do I fix this?

---------------------------------------------------

Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.ourwebsite.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

Additional Details
Remote Certificate Subject: CN=www.rogansmemorials.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT84814419, O=www.rogansmemorials.com, C=US, SERIALNUMBER=fIZeLP-K7AU7ugSbLxM7c9vf33vaZ0Fl, Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US.

Validating the certificate name.
Certificate name validation failed.

Additional Details
Host name autodiscover.ourwebsite.com doesn't match any name found on the server certificate CN=www.rogansmemorials.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT84814419, O=www.rogansmemorials.com, C=US, SERIALNUMBER=fIZeLP-K7AU7ugSbLxM7c9vf33vaZ0Fl.

--------------------------------------------------
SECC_ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ryan SmithSr. Systems EngineerCommented:
Chat with rapidssl people.   They'll be able to help you.
0
SECC_ITAuthor Commented:
I did contact RapidSSL and they said that certificate expired in 2012.

Isn't there a place somewhere on the server where I can fix this?
0
Ryan SmithSr. Systems EngineerCommented:
You have to go into exchange management console and click on Server Configuration. You can see your SSL certs there.  Do you see any expired certs in there?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

SECC_ITAuthor Commented:
No. And my GoDaddy one is there and valid.
0
Ryan SmithSr. Systems EngineerCommented:
Use this site to test your urls.  This is really strange.

https://www.geocerts.com/ssl_checker
0
SECC_ITAuthor Commented:
Okay this just got weirder. I ran our mailserver URL mail.ourwebsite.com and it came back with this, which is ALSO wrong!!! FYI, we JUST had a Mitel phone system put in. Yes, I've contacted that vendor.

------------------------------------------
SSL Server Certificate

 Common Name: Mitel5000
 Issuing CA: mitel.com
 Organization: Mitel Networks Corporation
 Valid from February 26, 2014 to February 25, 2017
 Key Size: 1024 bits
--------------------------------------------

However, how do I let my Exchange server know to use our valid, existing SSL certificate?
0
Ryan SmithSr. Systems EngineerCommented:
Did Mitel have admin access? They might have tied in voice mails into exchange and made some changes.  I believe it's under Unity on exchange.  Not sure if that's Cisco only though.

Try to ping your urls and see what IP they go to.  Someone might have changed them in your domain register under advanced dns.
0
SECC_ITAuthor Commented:
Pings are fine. GoDaddy had me reinstall the certificate, which I did. However, when I run the MS connectivity, I get the rogansmemorials again, and when I run the GeoCerts SSL checker, I get the Mitel thing.

I am truly totally flummoxed.
0
Alan HardistyCo-OwnerCommented:
Has your Autodiscover A record been pointed to a different IP Address?

Have any of your DNS records been updated / amended recently?

Has your firewall been amended recently to forward ports to another device / server (such as the phone system)?

Alan
0
SECC_ITAuthor Commented:
Autodiscover A record points to the IP address of my exchange server.

No on the DNS thing.

YES on number three though. I went into the SonicWall and removed all the changes I made (they weren't doing what I needed anyway).  

The results: I now pass the GeoCerts test, but when I run the MS Connectivity Analyzer, it sill refers to that rogansmemorials site.

Therefore, devices are still unable to connect to exchange.
0
Alan HardistyCo-OwnerCommented:
Okay - on the server can you visit www.canyouseeme.org and test port 443 to check that it is open and forwarded properly.

If you see SUCCESS, then it's good news.

Alan
0
Alan HardistyCo-OwnerCommented:
And for giggles - does www.whatismyip.com show you the IP Address you expect to be seeing?
0
SECC_ITAuthor Commented:
Yes, all good on both of those. Wow, cool websites!

So, I contacted my webhost and explained the issue to him. He checked HIS DNS servers and found that our autodiscover was pointing to the server that hosts our WEBSITE, not the mail server. So he fixed that and after I let the obligatory time pass, I'll check and see if that fixed it.

I'll post what happens here tomorrow.
0
Ryan SmithSr. Systems EngineerCommented:
My answer might have been right to check your dns :)  "Someone might have changed them in your domain register under advanced dns."
0
Alan HardistyCo-OwnerCommented:
Where is your DNS managed?  At the webhost?

If that is the case, then sounds like it should be fixed, but only time will tell.

If you visit www.whois.com/whois/add_your_domain_name_here.com you should see the DNS servers that manage your Domain Name and that is where the world will got to find your website / DNS records, so if that is your webhost, then it's looking good.

Alan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.