Solved

Microsoft Connectivity Analyzer reports wrong SSL cert on port 443

Posted on 2014-11-13
5
572 Views
Last Modified: 2014-12-16
Small Business Server 2011
New SSL cert installed using SBS Console wizard.  SSL Cert installed without errors.  Verified that 443 * binding in IIS 7 was using correct cert.  Verified Exchange (via EMC) that the new cert had loaded.

Upgraded GFI software to current version of EmailEssentials and discovered that transfer from Email Essentials to Exchange was not working.  Review of the logs indicated a problem with Autodiscover.

Double checked DNS server; autodiscover resolves to the public IP address of the SBS.

Ran Microsoft Connectivity Analyzer / Autodiscover and Active Sync option; got this error:



The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server ____.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
 Additional Details
 
Remote Certificate Subject: CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.

Elapsed Time: 205 ms.  

 

 Validating the certificate name.
  Certificate name validation failed.


This is not the cert that I installed; could not find this certificate anywhere.  How do I fix this?
0
Comment
Question by:CocosDad
  • 3
  • 2
5 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
Comment Utility
This is part of how Microsoft's Remote Connectivity Analyzer tool works when you opt for the Use Autodiscover to detect my server settings option, as it is testing for a potential Autodiscover address.

You will most likely find that this certificate is the one that has been installed for your public-facing website (i.e. www.yourcompany.com) by your website hosting company. As the majority of website people request you configure the DNS A record for yourcompany.com to match the DNS A record for www.yourcompany.com to prevent errors when accessing your company's website via a web browser, the RCA tool will fail this check if your web hosting company has assigned a SSL certificate to your site (which is perfectly fine when required).

You should find that the test completes fine. If it doesn't, post up the result you got from the RCA test and we can help you further.

As for actually testing your new SSL certificate, I find it's just easier to load OWA or RWA on an external machine as you can then just check the SSL certificate through the browser itself. This is what I do whenever I renew an SSL certificate to verify if it has been applied properly.
0
 

Author Comment

by:CocosDad
Comment Utility
Ran the RCA on 6 other SBS 2011 installations each with a GoDaddy cert.  In each case, the RCA located the SSL on port 443 and found that the certificate name matched the domain name.

With this particular problem child, The RCA reports that the SSL cert on port 443 name was =*.bluehost.com, that it is a wild card SSL and that the SSL appears to be for a company in Great Britain.
Unless I am reading the error message from the RCA incorrectly.  I posted a copy of the error with my domain name underlined out in my original question.

Another reason why I think the issue is on our server is that when the GFI anti-spam software goes to transfer the email to Exchange, it checks the http://MYDOMAIN.COM/autodiscover/autodiscover.hm file and gives an error of "invalid user name".

Is it possible to edit this file or have the system regenerate a new one?

I have no control over the website hosting company or the company that created the website.  Is there someway of determining whether or not either of them have installed an SSL cert?  The web site is informational only and collects requests for information.  No commerce.
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
You can try going to https://www.yourcompany.com in a web browser to determine if a SSL certificate installed. If there is one installed, you'll most likely run into the familiar There is a problem with this website’s security certificate error message. Click Continue to this website (not recommended) > click on Certificate error at the top then View Certificate.

Did you purchase the SSL certificate for the company.com address? Only reason I ask is because I usually configure a prefix for the domain name (e.g. remote.company.com) within the Set up your Internet address wizard in the SBS Console to avoid the above issue.
0
 

Author Comment

by:CocosDad
Comment Utility
Thanks for getting back to me.  You are correct, the hosting company (Bluenote) installed a wild card SSL cert on their web server so all their client's web sites have this cert whether they need it or not.

I entered https://www.mycompany.com, selected Continue to web site.  A screen for Bluenote Web Hosting flashed by followed by my client's web site.

The ssl cert I purchased was named mail.mycompany.com with alternate names remote.mycompany.com and autodiscover.mycompany.com.  

The DNS zone file that I have control over has remote, mail and autodiscover pointing to public IP address of my SBS.  www and mycompany.com both point to the public IP address of the Bluenote web server.

They must have done this recently because this configuration has been working fine for the last 2 years.

There must be some solution to be had in either the DNS Zone File or rekeying the cert.
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
In that case everything that you have done so far regarding the certificate sounds right.

As I stated previously, the Exchange ActiveSync and Exchange ActiveSync Autodiscover tests are only testing for a potential Autodiscover URL (being https://yourcompany.com:443/Autodiscover/Autodiscover.xml). This doesn't actually mean that they have detected that this is your Autodiscover URL, they're just covering their bases by checking yourcompany.com first.

All that really matters is whether the tests pass or not. Are the tests successful?
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Suggested Solutions

Samba is the de-facto standard program (or, more correctly: suite of programs) that UNIX and Linux systems use to share files with Microsoft Windows (and more recently, Mac OS-X) systems. Currently, there are 2 common versions of Samba available,…
Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now