?
Solved

Exchange 2010 SSL wrong certificate

Posted on 2014-04-01
15
Medium Priority
?
458 Views
Last Modified: 2014-04-10
Have Exchange 2010, all the SPs and RUs. Three days ago all of our mobile devices stopped connecting to e-mail. However, Outlook and OWA are working fine.

Error on device is "Cannot connect to server"

Ran the connectivity analyzer and below is the error.

I have a valid SSL certificate that expires in 2017. In the error, the SSL Certificate that is being pointed to is not ours. The site "rogansmemorials" is a valid place where we purchased flowers for a staff member, but we are in no way related to it. Somehow their SSL certificate has taken the place of ours.

How do I fix this?

---------------------------------------------------

Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.ourwebsite.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.

Additional Details
Remote Certificate Subject: CN=www.rogansmemorials.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT84814419, O=www.rogansmemorials.com, C=US, SERIALNUMBER=fIZeLP-K7AU7ugSbLxM7c9vf33vaZ0Fl, Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US.

Validating the certificate name.
Certificate name validation failed.

Additional Details
Host name autodiscover.ourwebsite.com doesn't match any name found on the server certificate CN=www.rogansmemorials.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT84814419, O=www.rogansmemorials.com, C=US, SERIALNUMBER=fIZeLP-K7AU7ugSbLxM7c9vf33vaZ0Fl.

--------------------------------------------------
0
Comment
Question by:SECC_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
15 Comments
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39969860
Chat with rapidssl people.   They'll be able to help you.
0
 

Author Comment

by:SECC_IT
ID: 39969904
I did contact RapidSSL and they said that certificate expired in 2012.

Isn't there a place somewhere on the server where I can fix this?
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39969968
You have to go into exchange management console and click on Server Configuration. You can see your SSL certs there.  Do you see any expired certs in there?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:SECC_IT
ID: 39969993
No. And my GoDaddy one is there and valid.
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39970008
Use this site to test your urls.  This is really strange.

https://www.geocerts.com/ssl_checker
0
 

Author Comment

by:SECC_IT
ID: 39970056
Okay this just got weirder. I ran our mailserver URL mail.ourwebsite.com and it came back with this, which is ALSO wrong!!! FYI, we JUST had a Mitel phone system put in. Yes, I've contacted that vendor.

------------------------------------------
SSL Server Certificate

 Common Name: Mitel5000
 Issuing CA: mitel.com
 Organization: Mitel Networks Corporation
 Valid from February 26, 2014 to February 25, 2017
 Key Size: 1024 bits
--------------------------------------------

However, how do I let my Exchange server know to use our valid, existing SSL certificate?
0
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39970101
Did Mitel have admin access? They might have tied in voice mails into exchange and made some changes.  I believe it's under Unity on exchange.  Not sure if that's Cisco only though.

Try to ping your urls and see what IP they go to.  Someone might have changed them in your domain register under advanced dns.
0
 

Author Comment

by:SECC_IT
ID: 39970182
Pings are fine. GoDaddy had me reinstall the certificate, which I did. However, when I run the MS connectivity, I get the rogansmemorials again, and when I run the GeoCerts SSL checker, I get the Mitel thing.

I am truly totally flummoxed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970195
Has your Autodiscover A record been pointed to a different IP Address?

Have any of your DNS records been updated / amended recently?

Has your firewall been amended recently to forward ports to another device / server (such as the phone system)?

Alan
0
 

Author Comment

by:SECC_IT
ID: 39970272
Autodiscover A record points to the IP address of my exchange server.

No on the DNS thing.

YES on number three though. I went into the SonicWall and removed all the changes I made (they weren't doing what I needed anyway).  

The results: I now pass the GeoCerts test, but when I run the MS Connectivity Analyzer, it sill refers to that rogansmemorials site.

Therefore, devices are still unable to connect to exchange.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970354
Okay - on the server can you visit www.canyouseeme.org and test port 443 to check that it is open and forwarded properly.

If you see SUCCESS, then it's good news.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39970367
And for giggles - does www.whatismyip.com show you the IP Address you expect to be seeing?
0
 

Author Comment

by:SECC_IT
ID: 39970405
Yes, all good on both of those. Wow, cool websites!

So, I contacted my webhost and explained the issue to him. He checked HIS DNS servers and found that our autodiscover was pointing to the server that hosts our WEBSITE, not the mail server. So he fixed that and after I let the obligatory time pass, I'll check and see if that fixed it.

I'll post what happens here tomorrow.
0
 
LVL 6

Assisted Solution

by:Ryan Smith
Ryan Smith earned 1000 total points
ID: 39970413
My answer might have been right to check your dns :)  "Someone might have changed them in your domain register under advanced dns."
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1000 total points
ID: 39970420
Where is your DNS managed?  At the webhost?

If that is the case, then sounds like it should be fixed, but only time will tell.

If you visit www.whois.com/whois/add_your_domain_name_here.com you should see the DNS servers that manage your Domain Name and that is where the world will got to find your website / DNS records, so if that is your webhost, then it's looking good.

Alan
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month10 days, 21 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question