Avatar of CocosDad
CocosDad
 asked on

Microsoft Connectivity Analyzer reports wrong SSL cert on port 443

Small Business Server 2011
New SSL cert installed using SBS Console wizard.  SSL Cert installed without errors.  Verified that 443 * binding in IIS 7 was using correct cert.  Verified Exchange (via EMC) that the new cert had loaded.

Upgraded GFI software to current version of EmailEssentials and discovered that transfer from Email Essentials to Exchange was not working.  Review of the logs indicated a problem with Autodiscover.

Double checked DNS server; autodiscover resolves to the public IP address of the SBS.

Ran Microsoft Connectivity Analyzer / Autodiscover and Active Sync option; got this error:



The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server ____.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 
 Additional Details
 
Remote Certificate Subject: CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.

Elapsed Time: 205 ms.  

 

 Validating the certificate name.
  Certificate name validation failed.


This is not the cert that I installed; could not find this certificate anywhere.  How do I fix this?
Server Software

Avatar of undefined
Last Comment
VB ITS

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
VB ITS

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
CocosDad

ASKER
Ran the RCA on 6 other SBS 2011 installations each with a GoDaddy cert.  In each case, the RCA located the SSL on port 443 and found that the certificate name matched the domain name.

With this particular problem child, The RCA reports that the SSL cert on port 443 name was =*.bluehost.com, that it is a wild card SSL and that the SSL appears to be for a company in Great Britain.
Unless I am reading the error message from the RCA incorrectly.  I posted a copy of the error with my domain name underlined out in my original question.

Another reason why I think the issue is on our server is that when the GFI anti-spam software goes to transfer the email to Exchange, it checks the http://MYDOMAIN.COM/autodiscover/autodiscover.hm file and gives an error of "invalid user name".

Is it possible to edit this file or have the system regenerate a new one?

I have no control over the website hosting company or the company that created the website.  Is there someway of determining whether or not either of them have installed an SSL cert?  The web site is informational only and collects requests for information.  No commerce.
VB ITS

You can try going to https://www.yourcompany.com in a web browser to determine if a SSL certificate installed. If there is one installed, you'll most likely run into the familiar There is a problem with this website’s security certificate error message. Click Continue to this website (not recommended) > click on Certificate error at the top then View Certificate.

Did you purchase the SSL certificate for the company.com address? Only reason I ask is because I usually configure a prefix for the domain name (e.g. remote.company.com) within the Set up your Internet address wizard in the SBS Console to avoid the above issue.
CocosDad

ASKER
Thanks for getting back to me.  You are correct, the hosting company (Bluenote) installed a wild card SSL cert on their web server so all their client's web sites have this cert whether they need it or not.

I entered https://www.mycompany.com, selected Continue to web site.  A screen for Bluenote Web Hosting flashed by followed by my client's web site.

The ssl cert I purchased was named mail.mycompany.com with alternate names remote.mycompany.com and autodiscover.mycompany.com.  

The DNS zone file that I have control over has remote, mail and autodiscover pointing to public IP address of my SBS.  www and mycompany.com both point to the public IP address of the Bluenote web server.

They must have done this recently because this configuration has been working fine for the last 2 years.

There must be some solution to be had in either the DNS Zone File or rekeying the cert.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
VB ITS

In that case everything that you have done so far regarding the certificate sounds right.

As I stated previously, the Exchange ActiveSync and Exchange ActiveSync Autodiscover tests are only testing for a potential Autodiscover URL (being https://yourcompany.com:443/Autodiscover/Autodiscover.xml). This doesn't actually mean that they have detected that this is your Autodiscover URL, they're just covering their bases by checking yourcompany.com first.

All that really matters is whether the tests pass or not. Are the tests successful?