Microsoft Exchange 2013, Outlook 2012 invalid security certificate

So a couple weeks ago, what seemed like randomly, a majority of my Outlook clients stopped working.  When Outlook is launched there is an error related to the security certificate.  There is a problem with the proxy server's security certificate.  The security certificate is not from a trusted certifying authority.  Outlook is unable to connect to the proxy server XXXXXXX. (Error Code 8).

I don't know where I need to go to fix this.  The mail server uses a self signed/generated certificate.  We use auto discovery to configure the Outlook clients.  I'm sure it is something easy but I can't figure it out.  In the mean time we have been manually installing the certificate on all the client machines and putting it in the Trusted Root Authority store.  The certificate has been in place at least a year and we used it, installed new outlook clients, added new users without any issue or errors.  Now we get this error every time for every profile, even on machines that already had the certificate manually installed for a different user.

What do I need to change to fix this? I thought about forcefully installing the certificate via command in a login script but I figure there has to be an easier way on the server or related to auto discovery to fix this.
Kevin CastlemanIT AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Check you DCs that serve up autodiscovery/auto discover XML to make sure they have valid certs
Recently answered a question of a similar issue, the asker located the issue was on the HTTPS://ADmdomain/autodiscovepr/autodiscover.xml as the cause.

Will post the link to that post when I can find it.
Kevin CastlemanIT AdministratorAuthor Commented:
I added the mail servers self generated cert to the trusted root cert authority on both my domain controllers.  I get the same error.  Do I need to store them somewhere else?
Are you pushing those self signed certs as trusted within a GPO to all clients?
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Kevin CastlemanIT AdministratorAuthor Commented:
Actually yes we are.  The cert is there in the GPO under Trusted Root Certificate Authorities and shows as expires on 9/5/2018.
There are several points where this issue can come up from.
There is the direct access to the exchange server, the other deals with autodiscovery

See if HTTPS:// do you get a certificate error in the browser.
Kevin CastlemanIT AdministratorAuthor Commented:
I'm sorry I may be missing something.  I click that link and nothing happens.  I tried changing it to https://myinternaldomain.local/autodiscover/ and and neither replied with results.
That was a try.
identifying the connections your email clients makes and then looking at the cert.

I.e. The certificate is for the exchange server name, but the access from the client is to a different name. This will create a name mismatch that pushing the self signed certificate as trusted will not resolve.
Kevin CastlemanIT AdministratorAuthor Commented:
OK so how do I fix that?  It was working for over a year without any issue.  Then something updated and now all I get is errors.
Without knowing where the issue is, I.e. You renewed/regenerated a new self-signed  certificate this year and used the system's name versus the one you used before.
Kevin CastlemanIT AdministratorAuthor Commented:
I didn't do either.  It just stopped working one day.  I didn't renew the cert nor did I regenerate a new one.  If we can't troubleshoot the setup as it is, what is the process to create/use a new one so that I don't get these errors.
Where is the issue? Double check the account setup within outlook dealing with what host is being used. Then look to see whether the certificate of that host:port matches the name and not expired.
Kevin CastlemanIT AdministratorAuthor Commented:
That is my questions, where is the issue?  it is all accounts, new or old.

the cert matches the name of the mail server.  it is not expired.  I guess I don't understand or know what's missing.
Look on your outlook account configuration. Is it configured through a GPO? Double check what host it pints to versus what certificate is there.

Let's say you have mail.youraddomain.local and the certificate matches that, but in the GPO to auto configure users, you are pushing exchange that also resolves to the same IP.

This will trigger a name mismatch.  Does the error/warning indicate what the issue with the certificate is?
Simon Butler (Sembee)ConsultantCommented:
The first problem is using the self signed certificate.
Those are not designed or supported for production use. You should really have a trusted SSL certificate on the server. When you can get a suitable certificate for less than $70/year, it doesn't make any sense to do anything else.

Once you have the certificate sorted out, you then need to correct the configuration of Exchange to support the new SSL certificate. Again easily done, but you need to be consistent with the configuration.

Exchange 2013 uses SSL exclusively, it is not an optional feature.

Kevin CastlemanIT AdministratorAuthor Commented:
OK.  Well sort version is I regenerated the security certificate and re applied it to the mail server, AD controllers, and in GPO.  It seems to be working now.  I couldn't  ever figure out what was wrong or what went wrong so I just started over from scratch.

It's funny that you say not to use a self signed certificate.  The server was originally setup and configure by Microsoft themselves, and they setup the self signed cert and never told us we should buy one.

Thanks for everyone's help

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.