New SSL Certificate on Exchange 2013 not working

I just installed an SSL Certificate from godaddy to exchange 2013. Everything looks correct. I edited the certificate and checked on SMTP, IMAP, POP and IIS. When I go to https://mail.domain.com/owa or /ecp I get a security error. It shows the self assigned certificate servername and servername.domain.local

I did iiseset

What am I doing wrong?
ajdratchAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wayne88Commented:
What type of SSL cert did you get?

Can you run "Get-ExchangeCertificate -Server Mailbox01" in powershell to see all the installed SSL certs then post here?  Omit any sensitive information such as domain name for privacy.

Here are the parameters: https://docs.microsoft.com/en-us/powershell/module/exchange/encryption-and-certificates/get-exchangecertificate?view=exchange-ps

Verify that your new SSL cert is on the list then ensure that the correct SSL certificate is assigned for use.

https://practical365.com/exchange-server/exchange-2013-assign-ssl-certificate-to-services/
0
ajdratchAuthor Commented:
Attached is a screen shot
Capture.JPG
0
Wayne88Commented:
Is the first entry the SSL certificate for the Exchange server?  Can you verify that the thumprint is the same as the new SSL certificate?  If it matches the old one then we know the new SSL cert is not installed.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ajdratchAuthor Commented:
The entry that I erased was their internet domain. That thumb print matches the new certificate
0
Wayne88Commented:
Ok, have a look at these articles.  There are a lot of resources here and the fix may have already been mentioned.  Providing that you have the correct SSL certificates and all the required hostnames are listed on your SSL cert.

https://www.experts-exchange.com/articles/29662/Exchange-2013-Fix-for-an-Invalid-certificate-and-related-issues.html

https://www.experts-exchange.com/articles/31221/Fix-for-Exchange-server-2016-certificate-and-related-issues.html
0
ajdratchAuthor Commented:
I went through that article and it did not help. This is what I have.

When I browse to https://mail.domain.net/owa Firefox shows "Mail.domain.net uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for the following names: internalservername, internalservername.domain.local

Set-WebServicesVirtualDirectory shows
Server      : internalservername
Identity    : internalservername\EWS (Default Web Site)
InternalUrl : https://mail.domain.net/EWS/Exchange.asmx
ExternalUrl : https://mail.domain.net/EWS/Exchange.asmx

Get-ExchangeCertificate shows:
AA81C2DC19A5C674DDEAC04290C4FE8A1E9D87D6  IP.WS..    CN=domain.net, OU=Domain Control Validated
7D5C273C8DC53712D270D2EE6788411769327607  ....SF.    CN=Federation
2DE6A57F656DA1356F9DD9463C881F85B81853BD  ....S..    CN=Microsoft Exchange Server Auth Certificate
58943B1ED433BA31D9FF0C38916B1492FC71AE5F  ...WS..    CN=internalservername
72EF5808AAD80281751452823DC74FF7F7EA835A  .......    CN=WMSvc-internalservername
0
Wayne88Commented:
Can you confirm the steps in Exchange 2013 EAC (step a,b,c)?  This will relate which certificate is used for the checked services.  If this is set then Exchange should use the chosen SSL cert.

https://www.experts-exchange.com/articles/29662/Exchange-2013-Fix-for-an-Invalid-certificate-and-related-issues.html

Or you can also use Exchange PS and do the "Enable-ExchangeCertificate -Thumbprint number -Services POP,IMAP,SMTP,IIS" command.  Replace Thumbprint number with actual.
0
ajdratchAuthor Commented:
I just verified everything is correct.

In IIS when I click to browse the default website on port 443 the browser comes up with https://localhost with a certificate error "The security certificate presented by this website was issued for a different website's address."
0
ajdratchAuthor Commented:
I ran netsh http show sslcert
IP:port 0.0.0.0:443 is using the correct certificate

IP:port 192.168.0.5 is not using the correct certificate.

My guess is if I can fix that, I may be all set
0
Wayne88Commented:
Yes that will be required to receive internal HTTP/HTTPS request in IIS.  Alternatively, you can just bind the SSL cert to all IP address (step 12).  See this link:

https://www.digicert.com/csr-ssl-installation/iis-8-and-8.5.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ajdratchAuthor Commented:
Thanks. I added it to IIS and it worked
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.