• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 635
  • Last Modified:

The name on the security certificate is invalid or does not match the name of the site

I recently renewed my SSL certificate for my exchange server with GoDaddy and they told me I could not include the site.domain.local SAN.
I installed the certificate and although my clients can use Outlook, they get a Security Alert with the message attached.
GoDaddy then told me I had to purchase a separate standard SSL certificate, but I don't know what to do with this certificate in Exchange - I have a self signed certificate referring to my site.domain.local which has SMTP checked (all others greyed out) but clicking renew does nothing - though it isn't due to expire for five years.
I do not understand why I am getting the attached error and what to do to resolve it.  I am also confused as to why my Outlook clients running on machines authenticated on the domain are complaining about a server within my domain...do I even need this .local certificate?
Doc1.docx
0
fuzzyfreak
Asked:
fuzzyfreak
  • 19
  • 6
  • 3
1 Solution
 
Seth SimmonsSr. Systems AdministratorCommented:
your cert should have the external domain name and your exchange config should use the same
3rd party cert providers are (or soon will be) no longer accepting .local or any other non-external domain suffix
use site.domain.com (or whatever domain suffix you have) on your cert and your URLs
also configure split dns for internal users can resolve external addresses locally

Exchange 2013 Client Access server configuration
https://technet.microsoft.com/en-us/library/hh529912%28v=exchg.150%29.aspx

Windows - Setting Up Split DNS
http://www.petenetlive.com/KB/Article/0000830.htm
0
 
fuzzyfreakAuthor Commented:
Thanks for your response Seth, I am afraid I am having trouble understanding what to do here. I have undertaken the split DNS from article 2, but what have I not done/need to do now?
0
 
Simon Butler (Sembee)ConsultantCommented:
You need to setup split DNS, then reconfigure Exchange to use your external host name internally.
http://semb.ee/hostnames2010 

Users need to be told to not use the server's internal name at all.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
fuzzyfreakAuthor Commented:
Thanks, I really appreciate your response on this.  I have already set up the split dns, it is the powershell command I am struggling with.  I think I am almost there, I have just entered "Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.example.net/autodiscover/autodiscover.xml" but it is now asking me for an identity?
0
 
Seth SimmonsSr. Systems AdministratorCommented:
...but it is now asking me for an identity

that is the server name; it's described in the technet article i cited earlier with the command syntax
0
 
fuzzyfreakAuthor Commented:
I have now entered my server name - it is not clear in teh articles how you enter this, so I have entered servername (as opposed to servername.domainname).
This has not resolved my problem.
I would appreciate further guidance.
Thanks.
0
 
fuzzyfreakAuthor Commented:
To be clear here, I am only trying to set the Autodiscover URL - all the others (EWS and OAB) are set correctly i.e. with an internal and external URL.
0
 
fuzzyfreakAuthor Commented:
"Cycle the Exchange Services
After making the changes, cycle the Exchange services to ensure that the changes are live."

Not done that, about to do it now.
0
 
fuzzyfreakAuthor Commented:
Unfortunately this made no difference - the certificate issue is still there.  further help would be very much appreciated.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
have you tried the remote connectivity analyzer for autodiscover?
it might help point you in the right direction if it finds an error

https://testconnectivity.microsoft.com/
0
 
Simon Butler (Sembee)ConsultantCommented:
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.example.net/autodiscover/autodiscover.xml

You shouldn't have been asked for an identity - if that command was entered correctly then the get-clientaccessserver gets the identity bit for you.

Simon.
0
 
fuzzyfreakAuthor Commented:
Thanks - tried again as follows -
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml

It accepted it without the identity.
Any idea which exchange service I need to restart without restarting them all again?
0
 
fuzzyfreakAuthor Commented:
Further to using the analyzer it came up with all sorts of errors -

Attempting to resolve the host name domain.co.uk in DNS.
       The host name couldn't be resolved.

The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.domain.co.uk, OU=Domain Control Validated.
       A certificate chain couldn't be constructed for the certificate.
       
      Additional Details
       
The certificate chain has errors. Chain status = NotTimeValid.
Elapsed Time: 20 ms.

The Microsoft Connectivity Analyzer is checking the host autodiscover.domain.co.uk for an HTTP redirect to the Autodiscover service.
       The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
       
      Additional Details
       
The URL specified in the location HTTP header was not HTTPS. URL: http://domain2.co.ukAutodiscover/Autodiscover.xml
HTTP Response Headers:
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 337
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 19 Mar 2015 15:55:21 GMT
Location: http://domain2.co.ukAutodiscover/Autodiscover.xml
Server: Apache/2.2.22 (Ubuntu)
Elapsed Time: 241 ms.

Attempting to locate SRV record _autodiscover._tcp.domain.co.uk in DNS.
       The Autodiscover SRV record wasn't found in DNS.
0
 
fuzzyfreakAuthor Commented:
Something very serious has occured. After I restarted Exchange, no client can get in and event viewer is giving me lots of the following error -

Log Name:      System
Source:        Microsoft-Windows-HttpEvent
Date:          19/03/2015 17:16:30
Event ID:      15021
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer.domain.local
Description:
An error occurred while using SSL configuration for endpoint 0.0.0.0:444.  The error status code is contained within the returned data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-HttpEvent" Guid="{7b6bc78c-898b-4170-bbf8-1a469ea43fc5}" EventSourceName="HTTP" />
    <EventID Qualifiers="49152">15021</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-03-19T17:16:30.369626900Z" />
    <EventRecordID>350205</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="84" />
    <Channel>System</Channel>
    <Computer>computer.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="DeviceObject">\Device\Http\ReqQueue</Data>
    <Data Name="Endpoint">0.0.0.0:444</Data>
    <Binary>000004000200300000000000AD3A00C00000000000000000000000000000000000000000000000005F0000C0</Binary>
  </EventData>
</Event>
0
 
fuzzyfreakAuthor Commented:
Right, I have managed to resolve that issue, however I STILL have the certitifcate problem - so I am back to where I started. I would very much appreciate a resolution to this.

Many thanks
0
 
Simon Butler (Sembee)ConsultantCommented:
You need to do an Autodiscover test in Outlook, to verify that the host names being returned to the client are
a. what you expect them to be
b. match the name on the SSL certificate.

With Outlook running, hold down ctrl and right click on the Outlook icon in the system tray. Choose Test Email Autoconfiguration. Deselect the 2nd and 3rd options and do the test. Look at the results to ensure they match.

You have almost certainly missed one of the host names.
I gave you the wrong link before, unless you follow it to the 2013 version http://semb.ee/hostnames2013

Simon.
0
 
fuzzyfreakAuthor Commented:
Thanks for your response Simon. I can't see any problems with that test, the log says succeeded. One thing I am confused about though, is that all the URLs point to my internal server name server.domain.local - is this right?
0
 
fuzzyfreakAuthor Commented:
My apologies, having read it again, I now realise that all URLs should be pointing to my external certificate name.  There are still references to my internal server name during the test - how do I resolve these?  Is there a way I can export the log for you to take a look at?
0
 
Simon Butler (Sembee)ConsultantCommented:
You need to make the changes I outlined in my post right at the top.
http://semb.ee/hostnames2010

Change all of the internal and external URLs to match the external name on the certificate.

If you are seeing internal server names in the Autodiscover results, that is the cause of your problems.

Simon.
0
 
fuzzyfreakAuthor Commented:
Thanks, unfortunately I have multiple entries in my autodiscover - some point to the internal URL and some to the external URL even though I have made all the changes in your link - the only thing I have not done is restart the services again.
0
 
fuzzyfreakAuthor Commented:
The following still point to my internal URL -
OAB (under Exchange RPC)
ECP (under one of the Exchange http*)
Internal OWA - under autoconfiguration

I have two entries for Exchange http - is that normal?
0
 
Simon Butler (Sembee)ConsultantCommented:
You need to restart IIS (iisreset) after making the changes.
You have changed all of the virtual directories - OWA, ECP, OAB, EWS?

Simon.
0
 
fuzzyfreakAuthor Commented:
On your second point, I have just done that - I missed that in your article (I have not changed powershell - not sure if that is necessary)
0
 
fuzzyfreakAuthor Commented:
OK, finally we are getting somewhere.  There is now no reference to any internal .local machine so the only person who is getting a certificate error is myself (fixed for all clients) - I am not sure why.
Thanks
0
 
fuzzyfreakAuthor Commented:
I cannot close this question until I resolve this completely i.e. for myself who is still seeing the certificate error when opening Outlook.

Thanks
0
 
Simon Butler (Sembee)ConsultantCommented:
If it is working for everyone else, then it has to be something unique about your machine.

Simon.
0
 
fuzzyfreakAuthor Commented:
Thanks, where would I start?
0
 
fuzzyfreakAuthor Commented:
Thanks for your persistence on this matter. My certificate issue simply faded away eventually (not sure when or how).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 19
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now