?
Solved

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN

Posted on 2016-10-18
7
Medium Priority
?
118 Views
Last Modified: 2016-10-19
Exchange 2007. I tried to do this:

Simply you can execute below command and it may resolve your query.

1. Open "Exchange Management Shell".
 
2. Write "get-ExchangeCertificate" and press on "Enter" button.
 
3. Write down the Thumbprint of the certificate that reflect the required FQDN name of the server.
 
4. Review the current certificate that use by the Exchange server and
 
         each certificate function.
 
5. Write "Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"
 
       and press on 'Enter" button.
 

•The value of -Thumbprint obtained in stage 3.

 
6. Restart the Exchange server.

But the values are all cut off because the window is too small side to side. I can't tell which thumbprint is for the FQDN... it looks like there may be a few. Is that possible?
0
Comment
Question by:QMBB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 

Author Comment

by:QMBB
ID: 41848871
it looks like this:

Thumbprint                                Services   Subject
----------                                --------   -------
A9D08A8398973A7E2F2095284B89258B107C4F67  IP.WS      CN=mail.mydomain.co...
4635429745AA20A70BD27FB65B80C5A90863A74R  .....      C=US, L=Seattle, S=Was...
F7A3471ECB5D7B315BEAE8C5BA6E3620D2027952  IP..S      CN=mail.mydomain.co...
54F3F6D7E3F4EABCD2B7A60733BE03051934FNJR  IP..S      CN=mail.mydomain.co...
78A98332A0527CD1FE407E0ED7B0D987A99068JJ  IP..S      CN=mail.mydomain.co...
EA63EE80539673A9BF8D380CF91FFC06521689E4  ....S      CN=MYEXCHANGE
31A64D5E28F49AAB2CE6677C4BE54A9544B1F75S  .....      CN=WMSvc-MYEXCHANGE
0
 
LVL 17

Expert Comment

by:Ivan
ID: 41848886
Hi,

you can just add | fl at the end of command, and it will list you all the info. Maybe to much info, but you will see what you need :)

Like: Get-ExchangeCertificate | fl

Regards,
Ivan.
0
 
LVL 17

Expert Comment

by:Ivan
ID: 41848894
When you run command in post above, it will let you know valid date.

PS; Maybe you have certificates that are expired, but simple not removed from server.
You can check that either by going to mmc --> add certificates snap in, and look for computer certificates --> local store
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:QMBB
ID: 41848938
Ok, that worked to see them. I did the snap in route. I do have 3 expired certs and one valid cert for the FQDN mail.mydomain.com, but those expired ones have been in there for years. Why would they cause a problem now? The problem that happened was all mail stopped coming in, even inter-office mail. I looked in the event viewer and saw the error about which I posted here. An hour after the problem started, it went away by itself (after I rebooted the server +10 minutes) and all the backed up email came in.

Again, these were not just outside emails (which our O365 spam protection would have queued up), but also emails sent from one staff member to another, and those emails never even leave the building. So something in Exchange stopped delivering emails to all user's Outlook.
0
 
LVL 17

Accepted Solution

by:
Ivan earned 2000 total points
ID: 41848981
Hi,

if the valid cert for mail.mydomain.com was bind to IIS, then that is not the reason why email delivery stopped.

The error which you have posted, also is not the reason for email to stop. That error simple says that there is not certificate for server to start TLS, but that will not affect usual mail flow.

You should take a look at event viewer to see if there are some errors, or warnings, in both application and system event, and post here if something looks strange. Usually mail flow stop because some service went down, DNS problem, Backpressure and such. There can be many, but event viewer usually has some info.

Regards,
Ivan.
0
 

Author Comment

by:QMBB
ID: 41849081
Full error that started all this (maybe?) and server info:

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of MYEXCHANGE.MyCoInc.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of MYEXCHANGE.MyCoInc.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

Windows Server Standard SP2

Exchange Server 2007 Version: 08.02.0301.000
0
 

Author Comment

by:QMBB
ID: 41849083
In Event Viewer, there is an Exchange Auditing area but there is nothing in there at all.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question