bill2013
asked on
Cannot connect using new SSL
I have recently installed a SANS/UCC certificate to replace a single domain one but I cannot connect to OWA, ECP etc. using the new SSL.
Externally, if I connect to https://oldSSL.domain,com/owa I get a security warning as it is looking for the new SSL, but I can continue and open emails.
If I type https://newSSL.domain,com/owa I get a page "cannot be displayed" message.
I did all this within EAC and did not go near IIS, following the Godaddy instructions to the letter, I followed the instructions to the letter albeit for Exchange 2013 rather than 2016 and In the new certificate services I selected SMTP, IMAP. POP and IIS. What have I missed?
Externally, if I connect to https://oldSSL.domain,com/owa I get a security warning as it is looking for the new SSL, but I can continue and open emails.
If I type https://newSSL.domain,com/owa I get a page "cannot be displayed" message.
I did all this within EAC and did not go near IIS, following the Godaddy instructions to the letter, I followed the instructions to the letter albeit for Exchange 2013 rather than 2016 and In the new certificate services I selected SMTP, IMAP. POP and IIS. What have I missed?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
[PS] C:\Windows\system32>Get-Ex
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {newSSL.domain.com, www.newSSL.domain.com, domain.com,
autodiscover.domain.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 03/04/2017 22:12:38
NotBefore : 03/04/2016 22:12:38
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 485CCA32A88A81B9
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=newSSL.domain.com, OU=Domain Control Validated
Thumbprint : 1CE6F92E3A52C65571175168E3
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {oldSSL.domain.com, www.oldSSL.domain.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 22/02/2017 22:06:39
NotBefore : 22/02/2016 22:06:39
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 6FC6F0E66CDF4EFA
Services : SMTP
Status : Valid
Subject : CN=oldSSL.domain.com, OU=Domain Control Validated
Thumbprint : 3B8A6A90E5355D727ADA670FFB
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 19/01/2021 12:51:01
NotBefore : 15/02/2016 12:51:01
PublicKeySize : 2048
RootCAType : None
SerialNumber : 3F0A57B7B83AE6A24799B48449
Services : SMTP
Status : Valid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : 5A737FE2BFD7B728AEEF2DA3A6
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {MSVSExchange, MSVSExchange.domain.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=MSVSExchange
NotAfter : 15/02/2021 12:48:24
NotBefore : 15/02/2016 12:48:24
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 4A6379A4BC0E218B44ED26BFF9
Services : IIS, SMTP
Status : Valid
Subject : CN=MSVSExchange
Thumbprint : 01DB54629061F78522D91DB84E
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {WMSvc-MSVSEXCHANGE}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-MSVSEXCHANGE
NotAfter : 10/02/2026 16:30:11
NotBefore : 13/02/2016 16:30:11
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 6B22BCA8627D90A44E161001B4
Services : None
Status : Valid
Subject : CN=WMSvc-MSVSEXCHANGE
Thumbprint : 853B71E0562A20A6AA590F3BE8
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {newSSL.domain.com, www.newSSL.domain.com, domain.com,
autodiscover.domain.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 03/04/2017 22:12:38
NotBefore : 03/04/2016 22:12:38
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 485CCA32A88A81B9
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=newSSL.domain.com, OU=Domain Control Validated
Thumbprint : 1CE6F92E3A52C65571175168E3
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {oldSSL.domain.com, www.oldSSL.domain.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 22/02/2017 22:06:39
NotBefore : 22/02/2016 22:06:39
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 6FC6F0E66CDF4EFA
Services : SMTP
Status : Valid
Subject : CN=oldSSL.domain.com, OU=Domain Control Validated
Thumbprint : 3B8A6A90E5355D727ADA670FFB
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=Microsoft Exchange Server Auth Certificate
NotAfter : 19/01/2021 12:51:01
NotBefore : 15/02/2016 12:51:01
PublicKeySize : 2048
RootCAType : None
SerialNumber : 3F0A57B7B83AE6A24799B48449
Services : SMTP
Status : Valid
Subject : CN=Microsoft Exchange Server Auth Certificate
Thumbprint : 5A737FE2BFD7B728AEEF2DA3A6
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {MSVSExchange, MSVSExchange.domain.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=MSVSExchange
NotAfter : 15/02/2021 12:48:24
NotBefore : 15/02/2016 12:48:24
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 4A6379A4BC0E218B44ED26BFF9
Services : IIS, SMTP
Status : Valid
Subject : CN=MSVSExchange
Thumbprint : 01DB54629061F78522D91DB84E
AccessRules : {System.Security.AccessCon
System.Security.AccessCont
System.Security.AccessCont
CertificateDomains : {WMSvc-MSVSEXCHANGE}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=WMSvc-MSVSEXCHANGE
NotAfter : 10/02/2026 16:30:11
NotBefore : 13/02/2016 16:30:11
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 6B22BCA8627D90A44E161001B4
Services : None
Status : Valid
Subject : CN=WMSvc-MSVSEXCHANGE
Thumbprint : 853B71E0562A20A6AA590F3BE8
ASKER
These are the Godaddy instructions:
To Install an SSL Certificate in Microsoft Exchange Server 2013
1.Log in to the Exchange Admin Center.
2.From the left menu, select Servers, and then click Certificates.
3.Select your certificate (it has a “Pending request” status), and then click Complete.
4.For File to import from, enter the certificate file path we provided (such as \\server\folder\coolexampl
5.In the Certificates section, select your certificate again (the status changed to “Valid”), and then click Edit (pencil icon).
6.Click Services, select the services to which the certificate applies (SMTP, UM, UM call router, IMAP, POP, and/or IIS), and then click OK. Your certificate is now ready to use with Exchange 2013.
No mention of IIS -this is obviously wrong - naughty Godaddy!!
To Install an SSL Certificate in Microsoft Exchange Server 2013
1.Log in to the Exchange Admin Center.
2.From the left menu, select Servers, and then click Certificates.
3.Select your certificate (it has a “Pending request” status), and then click Complete.
4.For File to import from, enter the certificate file path we provided (such as \\server\folder\coolexampl
5.In the Certificates section, select your certificate again (the status changed to “Valid”), and then click Edit (pencil icon).
6.Click Services, select the services to which the certificate applies (SMTP, UM, UM call router, IMAP, POP, and/or IIS), and then click OK. Your certificate is now ready to use with Exchange 2013.
No mention of IIS -this is obviously wrong - naughty Godaddy!!
There is nothing wrong with those instructions. You don't go near IIS when installing the SSL certificate.
Furthermore, even if you had failed to install the intermediate certificate, it would still load, you would just get an SSL error.
This looks to me like the SSL certificate didn't create properly. Not unusual, I have had it happen with most vendors.
Create a new SSL certificate within Exchange, then do a rekey within the GoDaddy SSL platform. As you have just done the domain verification the certificate will then be issued immediately. No need to reinstall the intermediate certificate.
Simon.
Furthermore, even if you had failed to install the intermediate certificate, it would still load, you would just get an SSL error.
This looks to me like the SSL certificate didn't create properly. Not unusual, I have had it happen with most vendors.
Create a new SSL certificate within Exchange, then do a rekey within the GoDaddy SSL platform. As you have just done the domain verification the certificate will then be issued immediately. No need to reinstall the intermediate certificate.
Simon.
ASKER
Thanks, that seems to make sense as other instructions are the same as Godaddy's.
The SSL error would also seem to be responsible for my other problem being unable to log in to EAC - says the password is wrong. Any idea on how toget around that?
The SSL error would also seem to be responsible for my other problem being unable to log in to EAC - says the password is wrong. Any idea on how toget around that?
SSL certificate would have nothing to do with the authentication process. SSL is a transport layer, authentication is the content. Authentication errors can sometimes mean an error with the virtual directory setup.
Simon.
Simon.
ASKER
Okay, but now I cannot even get to the login page for owa or ecp, locally or externally using old or new certificates or IP address.
I get a security warning, then when I continue, it says the webpage does not exist.
Any ideas?
I get a security warning, then when I continue, it says the webpage does not exist.
Any ideas?
did you installed intermediate certificates. Check the SSL validity with below tool and share the results.
https://www.sslshopper.com/ssl-checker.html
https://www.sslshopper.com/ssl-checker.html
ASKER
Yes I did set up the Intermediate as with all GD SSLs.
GD already suggested that site yesterday and I get the message "newssl.domain.com does not resolve to an IP address. Please make sure your DNS records are set up correctly."
This would be correct as the updated entries are still not showing in the DNS. These normally take 30 minutes but the ISP says up to 24 hrs which will expire in 5 hours.
If I run either of two old certificates in SSLShopper I get:
oldssl.domain.com resolves to 81.xx.xxx.xx
Server Type: Microsoft-IIS/10.0
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by GoDaddy.
Write review of GoDaddy
The certificate will expire in 363 days.
Remind me
None of the common names in the certificate match the name that was entered (oldssl.domain.com). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.
Common name: newssl.domain.com
SANs: newssl.domain.com, www.newssl.domain.com, domain.com, autodiscover.domain.com
Valid from April 3, 2016 to April 3, 2017
Serial Number: 5214265015146481449 (0x485aca67a88a81b9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Go Daddy Secure Certificate Authority - G2
Common name: Go Daddy Secure Certificate Authority - G2
Organization: GoDaddy.com, Inc.
Location: Scottsdale, Arizona, US
Valid from May 3, 2011 to May 3, 2031
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Go Daddy Root Certificate Authority - G2
Common name: Go Daddy Root Certificate Authority - G2
Organization: GoDaddy.com, Inc.
Location: Scottsdale, Arizona, US
Valid from December 31, 2013 to May 30, 2031
Serial Number: 1828629 (0x1be295)
Signature Algorithm: sha256WithRSAEncryption
Issuer: The Go Daddy Group, Inc.
The client Outlook pcs cannot connect to the exchange server as none of the certificates are accessible.
If I try to connect OWA externally using old or new SSLs if says there is a security risk and when I press continue I get a 404 "does not exist" error.
GD already suggested that site yesterday and I get the message "newssl.domain.com does not resolve to an IP address. Please make sure your DNS records are set up correctly."
This would be correct as the updated entries are still not showing in the DNS. These normally take 30 minutes but the ISP says up to 24 hrs which will expire in 5 hours.
If I run either of two old certificates in SSLShopper I get:
oldssl.domain.com resolves to 81.xx.xxx.xx
Server Type: Microsoft-IIS/10.0
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by GoDaddy.
Write review of GoDaddy
The certificate will expire in 363 days.
Remind me
None of the common names in the certificate match the name that was entered (oldssl.domain.com). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.
Common name: newssl.domain.com
SANs: newssl.domain.com, www.newssl.domain.com, domain.com, autodiscover.domain.com
Valid from April 3, 2016 to April 3, 2017
Serial Number: 5214265015146481449 (0x485aca67a88a81b9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Go Daddy Secure Certificate Authority - G2
Common name: Go Daddy Secure Certificate Authority - G2
Organization: GoDaddy.com, Inc.
Location: Scottsdale, Arizona, US
Valid from May 3, 2011 to May 3, 2031
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: Go Daddy Root Certificate Authority - G2
Common name: Go Daddy Root Certificate Authority - G2
Organization: GoDaddy.com, Inc.
Location: Scottsdale, Arizona, US
Valid from December 31, 2013 to May 30, 2031
Serial Number: 1828629 (0x1be295)
Signature Algorithm: sha256WithRSAEncryption
Issuer: The Go Daddy Group, Inc.
The client Outlook pcs cannot connect to the exchange server as none of the certificates are accessible.
If I try to connect OWA externally using old or new SSLs if says there is a security risk and when I press continue I get a 404 "does not exist" error.
ASKER
probably the closest answer ifsofar the default web page in IIS needed to be pointed to the new certificate. Not working internally just yet butworking perfectly externally.
ASKER
probably the closest answer ifsofar the default web page in IIS needed to be pointed to the new certificate. Not working internally just yet butworking perfectly externally.
Enter to the iis
Change the certificate. What Expired to Microsfot exchange!!!!!!!!!
restart the iis service
System will boot without a certificate but will have the possibility to renew
Successfully
ex2013.png