Microsoft Connectivity Analyzer reports wrong SSL cert on port 443

Posted on 2014-11-13
Medium Priority
Last Modified: 2014-12-16
Small Business Server 2011
New SSL cert installed using SBS Console wizard.  SSL Cert installed without errors.  Verified that 443 * binding in IIS 7 was using correct cert.  Verified Exchange (via EMC) that the new cert had loaded.

Upgraded GFI software to current version of EmailEssentials and discovered that transfer from Email Essentials to Exchange was not working.  Review of the logs indicated a problem with Autodiscover.

Double checked DNS server; autodiscover resolves to the public IP address of the SBS.

Ran Microsoft Connectivity Analyzer / Autodiscover and Active Sync option; got this error:

The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server ____.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 Additional Details
Remote Certificate Subject: CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.

Elapsed Time: 205 ms.  


 Validating the certificate name.
  Certificate name validation failed.

This is not the cert that I installed; could not find this certificate anywhere.  How do I fix this?
Question by:CocosDad
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 24

Accepted Solution

VB ITS earned 2000 total points
ID: 40439838
This is part of how Microsoft's Remote Connectivity Analyzer tool works when you opt for the Use Autodiscover to detect my server settings option, as it is testing for a potential Autodiscover address.

You will most likely find that this certificate is the one that has been installed for your public-facing website (i.e. www.yourcompany.com) by your website hosting company. As the majority of website people request you configure the DNS A record for yourcompany.com to match the DNS A record for www.yourcompany.com to prevent errors when accessing your company's website via a web browser, the RCA tool will fail this check if your web hosting company has assigned a SSL certificate to your site (which is perfectly fine when required).

You should find that the test completes fine. If it doesn't, post up the result you got from the RCA test and we can help you further.

As for actually testing your new SSL certificate, I find it's just easier to load OWA or RWA on an external machine as you can then just check the SSL certificate through the browser itself. This is what I do whenever I renew an SSL certificate to verify if it has been applied properly.

Author Comment

ID: 40441118
Ran the RCA on 6 other SBS 2011 installations each with a GoDaddy cert.  In each case, the RCA located the SSL on port 443 and found that the certificate name matched the domain name.

With this particular problem child, The RCA reports that the SSL cert on port 443 name was =*.bluehost.com, that it is a wild card SSL and that the SSL appears to be for a company in Great Britain.
Unless I am reading the error message from the RCA incorrectly.  I posted a copy of the error with my domain name underlined out in my original question.

Another reason why I think the issue is on our server is that when the GFI anti-spam software goes to transfer the email to Exchange, it checks the http://MYDOMAIN.COM/autodiscover/autodiscover.hm file and gives an error of "invalid user name".

Is it possible to edit this file or have the system regenerate a new one?

I have no control over the website hosting company or the company that created the website.  Is there someway of determining whether or not either of them have installed an SSL cert?  The web site is informational only and collects requests for information.  No commerce.
LVL 24

Expert Comment

ID: 40441787
You can try going to https://www.yourcompany.com in a web browser to determine if a SSL certificate installed. If there is one installed, you'll most likely run into the familiar There is a problem with this website’s security certificate error message. Click Continue to this website (not recommended) > click on Certificate error at the top then View Certificate.

Did you purchase the SSL certificate for the company.com address? Only reason I ask is because I usually configure a prefix for the domain name (e.g. remote.company.com) within the Set up your Internet address wizard in the SBS Console to avoid the above issue.

Author Comment

ID: 40442357
Thanks for getting back to me.  You are correct, the hosting company (Bluenote) installed a wild card SSL cert on their web server so all their client's web sites have this cert whether they need it or not.

I entered https://www.mycompany.com, selected Continue to web site.  A screen for Bluenote Web Hosting flashed by followed by my client's web site.

The ssl cert I purchased was named mail.mycompany.com with alternate names remote.mycompany.com and autodiscover.mycompany.com.  

The DNS zone file that I have control over has remote, mail and autodiscover pointing to public IP address of my SBS.  www and mycompany.com both point to the public IP address of the Bluenote web server.

They must have done this recently because this configuration has been working fine for the last 2 years.

There must be some solution to be had in either the DNS Zone File or rekeying the cert.
LVL 24

Expert Comment

ID: 40442613
In that case everything that you have done so far regarding the certificate sounds right.

As I stated previously, the Exchange ActiveSync and Exchange ActiveSync Autodiscover tests are only testing for a potential Autodiscover URL (being https://yourcompany.com:443/Autodiscover/Autodiscover.xml). This doesn't actually mean that they have detected that this is your Autodiscover URL, they're just covering their bases by checking yourcompany.com first.

All that really matters is whether the tests pass or not. Are the tests successful?

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question