Exchange 2010 Event Id 12018 & 12017

Windows 2008 R2 Server
Exchange 2010 Enterprise RU10

Started last night getting Event Id 12017 and 12018 every so often

Log Name:      Application
Source:        MSExchangeTransport
Date:          8/18/2015 8:01:27 AM
Event ID:      12018
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server025.fqdn.com
Description:
The STARTTLS certificate will expire soon: subject: server025.fqdn.com, thumbprint: A95500C7B57DB3F651744F52B1001CFC11844022, hours remaining: 730. Run the New-ExchangeCertificate cmdlet to create a new certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12018</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-18T12:01:27.000000000Z" />
    <EventRecordID>214702</EventRecordID>
    <Channel>Application</Channel>
    <Computer>server025.fqdn.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>server025.fqdn.com</Data>
    <Data>A95500C7B57DB3F651744F52B1001CFC11844022</Data>
    <Data>730</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        MSExchangeTransport
Date:          8/18/2015 8:01:29 AM
Event ID:      12017
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server025.fqdn.com
Description:
An internal transport certificate will expire soon. Thumbprint:A95500C7B57DB3F651744F52B1001CFC11844022, hours remaining: 730
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12017</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-18T12:01:29.000000000Z" />
    <EventRecordID>214703</EventRecordID>
    <Channel>Application</Channel>
    <Computer>server025.fqdn.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>A95500C7B57DB3F651744F52B1001CFC11844022</Data>
    <Data>730</Data>
  </EventData>
</Event>

******************************************************************************************

run this   new-exchangecertificate

[PS] C:\Windows\system32>new-exchangecertificate
WARNING: This certificate will not be used for external TLS connections with an FQDN of
'server025.fqdn.com' because the CA-signed certificate with thumbprint
'A95500C7B57DB3F651744F52B1001CFC11844022' takes precedence. The following receive/send connectors match that FQDN:
Client server025, TGCSNET Anonymous Relay, TGCSNET Port 1025, Default server025.

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'A95500C7B57DB3F651744F52B1001CFC11844022' (expires 9/17/2015 10:10:28 PM)
Replace it with certificate: 'F0C8851B678F1171E542DF8F6E5058EF46A361EE' (expires 8/18/2020 8:14:56 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Thumbprint                                Services   Subject
----------                                --------   -------
F0C8851B678F1171E542DF8F6E5058EF46A361EE  ....S.     CN=server025


[PS] C:\Windows\system32>


I then restarted Microsoft Exchange Transport service

Still getting this error

What am I missing here?

Thanks
LVL 23
Thomas GrassiSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

systechadminConsultantCommented:
Is this a Selfsigned certificare or third part CA? Also please assign the certificates to the SMTP
0
Ugo MenaCommented:
As Gaurav states, you need to assign the new certificate to your SMTP service using the following command

Enable-ExchangeCertificate -Thumbprint "234234234234234234" -Service "SMTP"

Open in new window


where you replace the thumbprint information with your newly generated Certificate thumbprint.

use
Get-ExchangeCertificate

Open in new window


to double check your Certificate thumbprint
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

Thanks

the new certificate is now on SMTP

When I ran "Get-ExchangeCertificate"

I see the old certificate  Thumbprint on Services IMAP POP IIS SMTP  which is the webmail  

see my log

[PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint "F0C8851B678F1171E542DF8F6E5058EF46A361EE" -Service "SMTP"
WARNING: This certificate will not be used for external TLS connections with an FQDN of
'TGCS025.our.network.tgcsnet.com' because the CA-signed certificate with thumbprint
'A95500C7B57DB3F651744F52B1001CFC11844022' takes precedence. The following receive/send connectors match that FQDN:
Client TGCS025, TGCSNET Anonymous Relay, TGCSNET Port 1025, Default TGCS025.
[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
F0C8851B678F1171E542DF8F6E5058EF46A361EE  ....S.     CN=TGCS025
A95500C7B57DB3F651744F52B1001CFC11844022  IP.WS.     CN=webmail.tgcsnet.com, OU=Domain Control Validated
A07668BAF4EE2ECE7BD5046D4379A92C826B2AAE  ......     CN=mail.tgcsnet.com
064DD5E5067D1735C1B7DCF9F34F1EA6F51A7A28  ....S.     CN=TGCS025
2F20DA70FF56188DD15B68F8597AD655C4AC5AC6  ......     CN=WMSvc-TGCS025


[PS] C:\Windows\system32>get-ExchangeCertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {TGCS025, TGCS025.our.network.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=TGCS025
NotAfter           : 8/18/2020 8:14:56 AM
NotBefore          : 8/18/2015 8:14:56 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 667107F116CCFDB949B244EA3182968D
Services           : SMTP
Status             : Valid
Subject            : CN=TGCS025
Thumbprint         : F0C8851B678F1171E542DF8F6E5058EF46A361EE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.tgcsnet.com, www.webmail.tgcsnet.com, tgcsnet.com, mail.tgcsnet.com, tgcs025.our.network.
                     tgcsnet.com, legacy.tgcsnet.com, autodiscover.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 9/17/2015 10:10:28 PM
NotBefore          : 1/17/2015 7:34:38 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 36B9F70536C8BBC4
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=webmail.tgcsnet.com, OU=Domain Control Validated
Thumbprint         : A95500C7B57DB3F651744F52B1001CFC11844022

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule}
CertificateDomains : {mail.tgcsnet.com, autodiscover.tgcsnet.com, webmail.tgcsnet.com, TGCS025.our.network.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=mail.tgcsnet.com
NotAfter           : 1/17/2016 7:08:02 PM
NotBefore          : 1/17/2015 6:48:02 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 52B2100C5D7BD7874B0D1B793BBAA9DC
Services           : None
Status             : PendingRequest
Subject            : CN=mail.tgcsnet.com
Thumbprint         : A07668BAF4EE2ECE7BD5046D4379A92C826B2AAE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule}
CertificateDomains : {TGCS025, TGCS025.our.network.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=TGCS025
NotAfter           : 1/10/2020 5:45:40 PM
NotBefore          : 1/10/2015 5:45:40 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 31526EC739020FA04463B725AD5B5423
Services           : SMTP
Status             : Valid
Subject            : CN=TGCS025
Thumbprint         : 064DD5E5067D1735C1B7DCF9F34F1EA6F51A7A28

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-TGCS025}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-TGCS025
NotAfter           : 1/4/2025 9:30:15 PM
NotBefore          : 1/7/2015 9:30:15 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 28A0EAFCA14DD7A349BC1519BC6ADDCC
Services           : None
Status             : Valid
Subject            : CN=WMSvc-TGCS025
Thumbprint         : 2F20DA70FF56188DD15B68F8597AD655C4AC5AC6



[PS] C:\Windows\system32>

Do I need to do

Enable-ExchangeCertificate -Thumbprint "F0C8851B678F1171E542DF8F6E5058EF46A361EE"
-Service "SMTP, IIS"

I do not use POP or IMAP

I have to Connectors for SMTP port 25 and Port 1025

I think only the webmail needs to be updated also which is IIS right?

Do I have the correct syntex?

What does the warning refer to?

thanks
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Thomas GrassiSystems AdministratorAuthor Commented:
I ran this

[PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint "F0C8851B678F1171E542DF8F6E5058EF46A361EE" -Service "SMT
P,IIS,POP,IMAP"
WARNING: This certificate will not be used for external TLS connections with an FQDN of
'TGCS025.our.network.tgcsnet.com' because the CA-signed certificate with thumbprint
'A95500C7B57DB3F651744F52B1001CFC11844022' takes precedence. The following receive/send connectors match that FQDN:
Client TGCS025, TGCSNET Anonymous Relay, TGCSNET Port 1025, Default TGCS025.
[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
F0C8851B678F1171E542DF8F6E5058EF46A361EE  IP.WS.     CN=TGCS025
A95500C7B57DB3F651744F52B1001CFC11844022  ....S.     CN=webmail.tgcsnet.com, OU=Domain Control Validated
A07668BAF4EE2ECE7BD5046D4379A92C826B2AAE  ......     CN=mail.tgcsnet.com
064DD5E5067D1735C1B7DCF9F34F1EA6F51A7A28  IP..S.     CN=TGCS025
2F20DA70FF56188DD15B68F8597AD655C4AC5AC6  ......     CN=WMSvc-TGCS025


Still getting the error

Not sure about the warning after the command

Thoughts
0
Thomas GrassiSystems AdministratorAuthor Commented:
Update

The SSL is from GoDaddy and Expires on 9/17/2015

Contacted them for an early update  Will update this later in the week

If any one has any further thoughts all welcome.
0
Thomas GrassiSystems AdministratorAuthor Commented:
Thanks guys

The SSL Certificate does not expire till 9/17/2015

Contacted Godaddy and will update the cert later this week,

Believe that is the issue
0
Ugo MenaCommented:
It does look like the certificate in question is from GoDaddy.

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.tgcsnet.com, www.webmail.tgcsnet.com, tgcsnet.com, mail.tgcsnet.com, tgcs025.our.network.
                     tgcsnet.com, legacy.tgcsnet.com, autodiscover.tgcsnet.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
                     com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 9/17/2015 10:10:28 PM
NotBefore          : 1/17/2015 7:34:38 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 36B9F70536C8BBC4
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=webmail.tgcsnet.com, OU=Domain Control Validated
Thumbprint         : A95500C7B57DB3F651744F52B1001CFC11844022

You will probably want to remove the following certificate you created and assigned to services.

ExchangeCertificate -Thumbprint "F0C8851B678F1171E542DF8F6E5058EF46A361EE"

Although you can have multiple certificates enabled for SMTP.  Exchange will use a preference to determine which certificate it uses.  For example, it prefers PKI certificates over self-signed certificates.  If you have multiple PKI certificates, it uses the one that will last the longest, etc...  

Here is a great diagram showing the How and Why TransportService Event IDs get logged.

https://technet.microsoft.com/en-us/library/bb430748.aspx
0
Thomas GrassiSystems AdministratorAuthor Commented:
Guys

Update:  New Cert from Godaddy today Errors seem to have disappeared will monitor for a few hours to see.
 When I do  this

[PS] C:\Windows\system32>get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
4E928DC3E754EF07787991E10F2BDCF93CAD49F2  IP.WS.     CN=webmail.tgcsnet.com, OU=Domain Control Validated
145A784E03B0C544DF57A51D8F70208B86D800FA  ......     C=US, S=New Jersey, L=Wood Ridge, O=TGCSNET, OU=IT, CN=autodisc...
F0C8851B678F1171E542DF8F6E5058EF46A361EE  ....S.     CN=TGCS025
A95500C7B57DB3F651744F52B1001CFC11844022  IP..S.     CN=webmail.tgcsnet.com, OU=Domain Control Validated
A07668BAF4EE2ECE7BD5046D4379A92C826B2AAE  ......     CN=mail.tgcsnet.com
064DD5E5067D1735C1B7DCF9F34F1EA6F51A7A28  ....S.     CN=TGCS025
2F20DA70FF56188DD15B68F8597AD655C4AC5AC6  ......     CN=WMSvc-TGCS025


I still see "A95500C7B57DB3F651744F52B1001CFC11844022" listed which was in the event error

How do I get rid of this?


Thanks
0
Ugo MenaCommented:
As long as the new certificate is loaded and has been assigned services, you should be able to remove the old cert with this
Remove-ExchangeCertificate -Thumbprint "A95500C7B57DB3F651744F52B1001CFC11844022"

Open in new window

0
Thomas GrassiSystems AdministratorAuthor Commented:
Thanks will try that tonight
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.