• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1130
  • Last Modified:

Exchange 2010 Event Id 12018 & 12017

Windows 2008 R2 Server
Exchange 2010 Enterprise RU10

Started last night getting Event Id 12017 and 12018 every so often

Log Name:      Application
Source:        MSExchangeTransport
Date:          8/18/2015 8:01:27 AM
Event ID:      12018
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server025.fqdn.com
Description:
The STARTTLS certificate will expire soon: subject: server025.fqdn.com, thumbprint: A95500C7B57DB3F651744F52B1001CFC11844022, hours remaining: 730. Run the New-ExchangeCertificate cmdlet to create a new certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12018</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-18T12:01:27.000000000Z" />
    <EventRecordID>214702</EventRecordID>
    <Channel>Application</Channel>
    <Computer>server025.fqdn.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>server025.fqdn.com</Data>
    <Data>A95500C7B57DB3F651744F52B1001CFC11844022</Data>
    <Data>730</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        MSExchangeTransport
Date:          8/18/2015 8:01:29 AM
Event ID:      12017
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server025.fqdn.com
Description:
An internal transport certificate will expire soon. Thumbprint:A95500C7B57DB3F651744F52B1001CFC11844022, hours remaining: 730
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12017</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-18T12:01:29.000000000Z" />
    <EventRecordID>214703</EventRecordID>
    <Channel>Application</Channel>
    <Computer>server025.fqdn.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>A95500C7B57DB3F651744F52B1001CFC11844022</Data>
    <Data>730</Data>
  </EventData>
</Event>

******************************************************************************************

run this   new-exchangecertificate

[PS] C:\Windows\system32>new-exchangecertificate
WARNING: This certificate will not be used for external TLS connections with an FQDN of
'server025.fqdn.com' because the CA-signed certificate with thumbprint
'A95500C7B57DB3F651744F52B1001CFC11844022' takes precedence. The following receive/send connectors match that FQDN:
Client server025, TGCSNET Anonymous Relay, TGCSNET Port 1025, Default server025.

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'A95500C7B57DB3F651744F52B1001CFC11844022' (expires 9/17/2015 10:10:28 PM)
Replace it with certificate: 'F0C8851B678F1171E542DF8F6E5058EF46A361EE' (expires 8/18/2020 8:14:56 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Thumbprint                                Services   Subject
----------                                --------   -------
F0C8851B678F1171E542DF8F6E5058EF46A361EE  ....S.     CN=server025


[PS] C:\Windows\system32>


I then restarted Microsoft Exchange Transport service

Still getting this error

What am I missing here?

Thanks
0
Thomas Grassi
Asked:
Thomas Grassi
  • 6
  • 3
2 Solutions
 
Gaurav SinghSolution ArchitectCommented:
Is this a Selfsigned certificare or third part CA? Also please assign the certificates to the SMTP
0
 
Ugo MenaCommented:
As Gaurav states, you need to assign the new certificate to your SMTP service using the following command

Enable-ExchangeCertificate -Thumbprint "234234234234234234" -Service "SMTP"

Open in new window


where you replace the thumbprint information with your newly generated Certificate thumbprint.

use
Get-ExchangeCertificate

Open in new window


to double check your Certificate thumbprint
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

Thanks

the new certificate is now on SMTP

When I ran "Get-ExchangeCertificate"

I see the old certificate  Thumbprint on Services IMAP POP IIS SMTP  which is the webmail  

see my log

[PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint "F0C8851B678F1171E542DF8F6E5058EF46A361EE" -Service "SMTP"
WARNING: This certificate will not be used for external TLS connections with an FQDN of
'TGCS025.our.network.tgcsnet.com' because the CA-signed certificate with thumbprint
'A95500C7B57DB3F651744F52B1001CFC11844022' takes precedence. The following receive/send connectors match that FQDN:
Client TGCS025, TGCSNET Anonymous Relay, TGCSNET Port 1025, Default TGCS025.
[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
F0C8851B678F1171E542DF8F6E5058EF46A361EE  ....S.     CN=TGCS025
A95500C7B57DB3F651744F52B1001CFC11844022  IP.WS.     CN=webmail.tgcsnet.com, OU=Domain Control Validated
A07668BAF4EE2ECE7BD5046D4379A92C826B2AAE  ......     CN=mail.tgcsnet.com
064DD5E5067D1735C1B7DCF9F34F1EA6F51A7A28  ....S.     CN=TGCS025
2F20DA70FF56188DD15B68F8597AD655C4AC5AC6  ......     CN=WMSvc-TGCS025


[PS] C:\Windows\system32>get-ExchangeCertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {TGCS025, TGCS025.our.network.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=TGCS025
NotAfter           : 8/18/2020 8:14:56 AM
NotBefore          : 8/18/2015 8:14:56 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 667107F116CCFDB949B244EA3182968D
Services           : SMTP
Status             : Valid
Subject            : CN=TGCS025
Thumbprint         : F0C8851B678F1171E542DF8F6E5058EF46A361EE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.tgcsnet.com, www.webmail.tgcsnet.com, tgcsnet.com, mail.tgcsnet.com, tgcs025.our.network.
                     tgcsnet.com, legacy.tgcsnet.com, autodiscover.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 9/17/2015 10:10:28 PM
NotBefore          : 1/17/2015 7:34:38 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 36B9F70536C8BBC4
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=webmail.tgcsnet.com, OU=Domain Control Validated
Thumbprint         : A95500C7B57DB3F651744F52B1001CFC11844022

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule}
CertificateDomains : {mail.tgcsnet.com, autodiscover.tgcsnet.com, webmail.tgcsnet.com, TGCS025.our.network.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mail.tgcsnet.com
NotAfter           : 1/17/2016 7:08:02 PM
NotBefore          : 1/17/2015 6:48:02 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 52B2100C5D7BD7874B0D1B793BBAA9DC
Services           : None
Status             : PendingRequest
Subject            : CN=mail.tgcsnet.com
Thumbprint         : A07668BAF4EE2ECE7BD5046D4379A92C826B2AAE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule}
CertificateDomains : {TGCS025, TGCS025.our.network.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=TGCS025
NotAfter           : 1/10/2020 5:45:40 PM
NotBefore          : 1/10/2015 5:45:40 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 31526EC739020FA04463B725AD5B5423
Services           : SMTP
Status             : Valid
Subject            : CN=TGCS025
Thumbprint         : 064DD5E5067D1735C1B7DCF9F34F1EA6F51A7A28

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-TGCS025}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-TGCS025
NotAfter           : 1/4/2025 9:30:15 PM
NotBefore          : 1/7/2015 9:30:15 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 28A0EAFCA14DD7A349BC1519BC6ADDCC
Services           : None
Status             : Valid
Subject            : CN=WMSvc-TGCS025
Thumbprint         : 2F20DA70FF56188DD15B68F8597AD655C4AC5AC6



[PS] C:\Windows\system32>

Do I need to do

Enable-ExchangeCertificate -Thumbprint "F0C8851B678F1171E542DF8F6E5058EF46A361EE"
-Service "SMTP, IIS"

I do not use POP or IMAP

I have to Connectors for SMTP port 25 and Port 1025

I think only the webmail needs to be updated also which is IIS right?

Do I have the correct syntex?

What does the warning refer to?

thanks
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Thomas GrassiSystems AdministratorAuthor Commented:
I ran this

[PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint "F0C8851B678F1171E542DF8F6E5058EF46A361EE" -Service "SMT
P,IIS,POP,IMAP"
WARNING: This certificate will not be used for external TLS connections with an FQDN of
'TGCS025.our.network.tgcsnet.com' because the CA-signed certificate with thumbprint
'A95500C7B57DB3F651744F52B1001CFC11844022' takes precedence. The following receive/send connectors match that FQDN:
Client TGCS025, TGCSNET Anonymous Relay, TGCSNET Port 1025, Default TGCS025.
[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
F0C8851B678F1171E542DF8F6E5058EF46A361EE  IP.WS.     CN=TGCS025
A95500C7B57DB3F651744F52B1001CFC11844022  ....S.     CN=webmail.tgcsnet.com, OU=Domain Control Validated
A07668BAF4EE2ECE7BD5046D4379A92C826B2AAE  ......     CN=mail.tgcsnet.com
064DD5E5067D1735C1B7DCF9F34F1EA6F51A7A28  IP..S.     CN=TGCS025
2F20DA70FF56188DD15B68F8597AD655C4AC5AC6  ......     CN=WMSvc-TGCS025


Still getting the error

Not sure about the warning after the command

Thoughts
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Update

The SSL is from GoDaddy and Expires on 9/17/2015

Contacted them for an early update  Will update this later in the week

If any one has any further thoughts all welcome.
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Thanks guys

The SSL Certificate does not expire till 9/17/2015

Contacted Godaddy and will update the cert later this week,

Believe that is the issue
0
 
Ugo MenaCommented:
It does look like the certificate in question is from GoDaddy.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.tgcsnet.com, www.webmail.tgcsnet.com, tgcsnet.com, mail.tgcsnet.com, tgcs025.our.network.
                     tgcsnet.com, legacy.tgcsnet.com, autodiscover.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 9/17/2015 10:10:28 PM
NotBefore          : 1/17/2015 7:34:38 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 36B9F70536C8BBC4
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=webmail.tgcsnet.com, OU=Domain Control Validated
Thumbprint         : A95500C7B57DB3F651744F52B1001CFC11844022

You will probably want to remove the following certificate you created and assigned to services.

ExchangeCertificate -Thumbprint "F0C8851B678F1171E542DF8F6E5058EF46A361EE"

Although you can have multiple certificates enabled for SMTP.  Exchange will use a preference to determine which certificate it uses.  For example, it prefers PKI certificates over self-signed certificates.  If you have multiple PKI certificates, it uses the one that will last the longest, etc...  

Here is a great diagram showing the How and Why TransportService Event IDs get logged.

https://technet.microsoft.com/en-us/library/bb430748.aspx
0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

Update:  New Cert from Godaddy today Errors seem to have disappeared will monitor for a few hours to see.
 When I do  this

[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
4E928DC3E754EF07787991E10F2BDCF93CAD49F2  IP.WS.     CN=webmail.tgcsnet.com, OU=Domain Control Validated
145A784E03B0C544DF57A51D8F70208B86D800FA  ......     C=US, S=New Jersey, L=Wood Ridge, O=TGCSNET, OU=IT, CN=autodisc...
F0C8851B678F1171E542DF8F6E5058EF46A361EE  ....S.     CN=TGCS025
A95500C7B57DB3F651744F52B1001CFC11844022  IP..S.     CN=webmail.tgcsnet.com, OU=Domain Control Validated
A07668BAF4EE2ECE7BD5046D4379A92C826B2AAE  ......     CN=mail.tgcsnet.com
064DD5E5067D1735C1B7DCF9F34F1EA6F51A7A28  ....S.     CN=TGCS025
2F20DA70FF56188DD15B68F8597AD655C4AC5AC6  ......     CN=WMSvc-TGCS025


I still see "A95500C7B57DB3F651744F52B1001CFC11844022" listed which was in the event error

How do I get rid of this?


Thanks
0
 
Ugo MenaCommented:
As long as the new certificate is loaded and has been assigned services, you should be able to remove the old cert with this
Remove-ExchangeCertificate -Thumbprint "A95500C7B57DB3F651744F52B1001CFC11844022"

Open in new window

0
 
Thomas GrassiSystems AdministratorAuthor Commented:
Thanks will try that tonight
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now