Solved

No valid SMTP Transport Layer Security (TLS) Certificate for the FQDN of.

Posted on 2014-04-30
5
5,273 Views
Last Modified: 2014-05-01
I am getting an error: No valid SMTP Transport Layer Security (TLS) Certificate for the FQDN of... The existing certificate for the FQDN has expired. Is this needed? we have a 3rd Party SSL?
0
Comment
Question by:mspencer100
5 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40032705
Sounds like you update your certificate but did not update the server.

Get the thumbprint for the new cert and run the command below:

enable-exchangecertificate -thumbprint xxxxxx-services SMTP, IMAP, POP, IIS
1
 

Author Comment

by:mspencer100
ID: 40032758
the 4rd party SSL has beeb aplied but it looks like we have a FQDN for the internal server, i.e. "internalemalservername.dominname.com" the 3rd party SSL is for mail.domainname.com. as i look at the connectors it looks to DNS to resolve MX so it looks like for local users they are being taken to internalemalservername.dominname.com via DNS and redirected by MX to the mail server via FQDN mail.domainname.com?
Thoughts on why this was set up this way? How to fix?
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40033072
where does your autodiscover point to?  You do know that you should have purchased a SAN certificate that covers all of the mail bases
mail.domain.com
autodiscover.domain.com
you should create the request on the Exchange server

helpful links
http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm
http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm
0
 
LVL 29

Accepted Solution

by:
becraig earned 250 total points
ID: 40033335
I agree with David, if it is not too late I would look into getting a SAN cert with the fqdns you need to resolve.

We can fix this otherwise, but the potential for a headache down the road should be avoided now by replacing the certificate.


Follow the steps here for a SAN request.
http://www.entrust.net/knowledge-base/technote.cfm?tn=8293
Do any of your internal urls point to a .local domain or do they all correctly point to .com?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 250 total points
ID: 40034329
This is a common problem because Exchange needs an SSL certificate with the server FQDN on it for internal transport flow using SSL.

As such, the easiest fix is to run

new-exchangecertificate

No other switches. You will get prompted to replace the default SMTP certificate. Say yes to that and the error will go away.
You can then remove the expired SSL certificate using get-exchangecertificate to view them, then remove-exchangecertificate to remove it.

No need to replace the SSL certificate you already have.

Simon.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question