Jean-François Guénet
asked on
Exchange 2013 FQDN Certificate Error
Hello weve put mail.ville.xxx.qc.ca for the FQDN of the Default Frontend NAMESERVER but im not sure if it's ok
Because we use TMG and we use owa.ville.xxx.qc.ca for OWA
mail.ville.xxx.qc.ca is a nat to our exchange server directly
we are receiving this error
Microsoft Exchange could not find a certificate that contains the domain name mail.ville.xxx.qc.ca in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Frontend NAMESERVER with a FQDN parameter of mail.ville.xxx.qc.ca. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
What FQDN i should use ?
If mail.ville.xxx.qc.ca is ok how to add it to the certificate
Thanks !
Because we use TMG and we use owa.ville.xxx.qc.ca for OWA
mail.ville.xxx.qc.ca is a nat to our exchange server directly
we are receiving this error
Microsoft Exchange could not find a certificate that contains the domain name mail.ville.xxx.qc.ca in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default Frontend NAMESERVER with a FQDN parameter of mail.ville.xxx.qc.ca. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate
What FQDN i should use ?
If mail.ville.xxx.qc.ca is ok how to add it to the certificate
Thanks !
ASKER
[PS] C:\Windows\system32>Get-Ex changeCert ificate | FL
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule,
System.Security.AccessCont rol.Crypto KeyAccessR ule}
CertificateDomains : {owa.xxx.xxx.qc.ca, www.owa.xxx.xxx.qc.ca}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 2015-10-01 07:13:26
NotBefore : 2014-09-23 13:35:19
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 2B503D0F61C656
Services : None
Status : Valid
Subject : CN=owa.xxx.xxx.qc.ca, OU=Domain Control Validated
Thumbprint : 62821EE9FFC4C0FF41AA86E1A9 A8DDC9BC66 88ED
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule,
System.Security.AccessCont rol.Crypto KeyAccessR ule,
System.Security.AccessCont rol.Crypto KeyAccessR ule}
CertificateDomains : {server_name.xxx.xxx.qc.ca , AutoDiscover.xxx.xxx.qc.ca ,
AutoDiscover.xxx.ca, server_name, xxx.xxx.qc.ca, xxx.ca}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=AC-Racine, DC=ville, DC=xxx, DC=qc, DC=ca
NotAfter : 2016-09-15 15:47:43
NotBefore : 2014-09-16 15:47:43
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 535F5FB8000000000679
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=server_name.xxx.xxx.qc. ca, OU=TI, O=xxx, L=xxx, S=QC, C=CA
Thumbprint : 0D911213DE4A8B565F185A8E3E 28AF5B80AC 5893
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule,
System.Security.AccessCont rol.Crypto KeyAccessR ule,
System.Security.AccessCont rol.Crypto KeyAccessR ule}
CertificateDomains : {owa.xxx.xxx.qc.ca, server_name.xxx.xxx.qc.ca,
AutoDiscover.xxx.xxx.qc.ca , AutoDiscover.xxx.ca, server_name,
xxx.xxx.qc.ca, xxx.ca}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=AC-Racine, DC=ville, DC=xxx, DC=qc, DC=ca
NotAfter : 2016-09-15 13:23:11
NotBefore : 2014-09-16 13:23:11
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 52DB0EDA000000000678
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=owa.xxx.xxx.qc.ca, OU=TI, O=xxx, L=xxx, S=Québec, C=CA
Thumbprint : 867EAB32807A54ACEFF53BF085 0434FED0DA C903
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
CertificateDomains : {owa.xxx.xxx.qc.ca, www.owa.xxx.xxx.qc.ca}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 2015-10-01 07:13:26
NotBefore : 2014-09-23 13:35:19
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 2B503D0F61C656
Services : None
Status : Valid
Subject : CN=owa.xxx.xxx.qc.ca, OU=Domain Control Validated
Thumbprint : 62821EE9FFC4C0FF41AA86E1A9
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {server_name.xxx.xxx.qc.ca
AutoDiscover.xxx.ca, server_name, xxx.xxx.qc.ca, xxx.ca}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=AC-Racine, DC=ville, DC=xxx, DC=qc, DC=ca
NotAfter : 2016-09-15 15:47:43
NotBefore : 2014-09-16 15:47:43
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 535F5FB8000000000679
Services : IMAP, POP, SMTP
Status : Valid
Subject : CN=server_name.xxx.xxx.qc.
Thumbprint : 0D911213DE4A8B565F185A8E3E
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {owa.xxx.xxx.qc.ca, server_name.xxx.xxx.qc.ca,
AutoDiscover.xxx.xxx.qc.ca
xxx.xxx.qc.ca, xxx.ca}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=AC-Racine, DC=ville, DC=xxx, DC=qc, DC=ca
NotAfter : 2016-09-15 13:23:11
NotBefore : 2014-09-16 13:23:11
PublicKeySize : 2048
RootCAType : Enterprise
SerialNumber : 52DB0EDA000000000678
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=owa.xxx.xxx.qc.ca, OU=TI, O=xxx, L=xxx, S=Québec, C=CA
Thumbprint : 867EAB32807A54ACEFF53BF085
Change the EHLO name to match the OWA namespace on the certificate and this will fix the STARTTLS issue. If you do not want that namespace there, then you would need a certificate that has the mail.xxx.xxx.xxx.com namespace.
ASKER
if i put owa.xxx.qc.ca it's not the same public ip address as mail.xxx.qc.ca
owa is for my TMG server
mail is for my exchange server
The EHLO name must me mail no ?
Will i have problem if i put owa ?
owa is for my TMG server
mail is for my exchange server
The EHLO name must me mail no ?
Will i have problem if i put owa ?
You should not have an issue putting OWA. The name has to be listed on the SSL certificate. I would increase SMTP logging like you did before and check again, but it should resolve your issue.
ASKER
And if i put the server name instead is it better ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Get-ExchangeCertificate | FL
Let us know the output. Most likely what has occurred is that you should change the FQDN of the send connector to something that is common on the certificate. That should resolve the issue.
Also.. I don't think TMG plays into this as you most likely do not have a web rule for it.