Link to home
Start Free TrialLog in
Avatar of Bert2005
Bert2005Flag for United States of America

asked on

GoDaddy versus Microsoft and I am IN the middle and OUT $379.00 (the story of the SSL from hell)

This started with a similar question of how to again use Access Anywhere after the SSL from GoDaddy that Microsoft uses expired. Since I had no account and did not own this certificate, I could not renew it. Microsoft worked on this for two days without fixing it; most of the time I had to explain Windows Essentials, Access Anywhere and the GoDaddy certificate.

Microsoft asked me to go to GoDaddy and try again to renew it. They said no, but suggested that I change my server domain name from rvphysician.remotewebaccess.com to remote.riverviewpediatrics.org since I had to use my domain name with a prefix. I did this. GoDaddy then verified that I owned riverviewpediatrics.org by going to the domain registrar that I bought it from.

GoDaddy then sold me an SSL certificate which would bind with the rvphysician.riverviewpediatrics.org. and gave me five files:
dkusref38fs8s.crt
md-m2_iis_intermediates.p7b
(those two had certificate icons next to them)
dkfuesah83plsl3dlj.pem
generated-csr.txt
generated-private-key.txt

The tech at GoDaddy who gave me those files stated that Microsoft would know how to use them to make a SSL certificate bind to the rvphysician.riverviewpediatrics.org.

But, when we (Microsoft and I) tried to use the Access Anywhere it wouldn't work as we did not have the a Personal Information Exchange file.

Therefore, Microsoft sent me back to GoDaddy asking if they could give us that file. GoDaddy informed me that there is no way to do that. He said the the Microsoft server must generate a private key using the generated-csr.

Microsoft is supposed to call at 10 am tomorrow morning, but I have no faith that they will know how to do that. When I Google it, it states to SSH to my account (good luck with that and what account). Then to enter certain things at the command line.

Like I said GoDaddy says one thing and Microsoft another; and I, a rather stupid person when it comes to SSL certificates and Access Anywhere am in the middle. We almost need Micrososft on the phone with GoDaddy.

I bought a domain name for $6.99. Does an SSL certificate really cost $379.00 a year?



Avatar of Rob Williams
Rob Williams
Flag of Canada image

This question wound up in my inbox.
SBS/Essentials: wizards, wizards, wizards.
Kevin has a great explanation how to run through the wizard.  Microsoft I do not believe offers their remote access feature and certificate anymore,  We have always used custom domains for our clients.  You can have remote.domain.abc.  Just use it within the wizard, create the certificate request, log into Godaddy and choose to manage your SSL certificate and choose re-key.  Once it goes through the approval process you can download.  You only need the .crt and p7b files, then follow the wizard as per Kevin's instructions.
Renew SSL Certificate for 2012 R2 Essentials :: KW Support & Consulting LLC (archive.org) 
I bought a domain name for $6.99.

You will have to renew this annually, probably for more money to renew

Does an SSL certificate really cost $379.00 a year?

There are cheaper places to buy a certificate or you could use letsencryypt.org to get a free certificate that is only valid for 3 months and you need to setup an autorenew method.
Avatar of Bert2005

ASKER

@Rob and David,

Thanks. That is what I kinda thought. I think GoDaddy had it backwards. Having me make up the domain name (Rob's exactly) and making a cert for it. I have always remembered getting the info from the server such as SBS and requesting from DomainIT or GoDaddy.
Most of my clients are using LetsEncrypt now - it's free, and having certs expire quickly is actually an advantage in my opinion.

Set it up to auto-renew every two months (say).

Alan.
As I go through the wizard, it wants the following information:

Organization.PNG

For organization, do I put www.riverviewpediatrics.org (my actual domain)

or

remote.riverviewpediatrics.org (which I am using for Access Anywhere or does it matter)

PS Thought the title of the question was catchy. Probably should have used a more descriptive one. :-)
Hi Alan,

Thanks.

Does anyone know why Microsoft used their domain name remotewebaccess.com and then used GoDaddy for the SSL? Which then expired and I never knew. No emails. Nothing. I would, of course, had renewed it.

It's also weird that I kinda know this was wrong (and the three experts definitely know what GoDaddy did wasn't going to work and Microsoft was literally clueless on this. They are still working on it.
So, I decide to start from scratch and generate the csr using the wizard for A.A. I copy the cert to place it in the Request SSL on GoDaddy page. Follow the directions and it takes me right to the wild card cert they generated. Which would supposedly work if Microsoft knew how to use it. The wildcard certs are quite pricey, and I don't even need it for one subdomain for the A.A. remote.riverviewpediatrics.org.

I know when I called GoDaddy yesterday, the tech had me make an account, then generated the csr and private key and said it would work but Microsoft would need to do the rest. Good luck with that.

Then I called a second tech and he IN NO UNCERTAIN TERMS practically yelling at me stated you simply can't do it without having the csr generated by my server. OK. Then they need to reimburse me for the original one they made.

I simply don't understand why when the free domain name the Microsoft used when first setting up Windows Server Essentials and A.A., rvpediatrics.remotewebaccess.com and then using GoDaddy (everything I have read states they use them now for the SSLs or did) and having the cert expire; couldn't figure out a way to remedy that situation.

I remember when I first called Microsoft on Sunday and was transferred, literally, to five departments, one of the techs said, "I have heard of this happening a number of times." Well, yes, it is going to happen if there is an SSL cert floating around out there that belongs to someone, yet I must now be that someone as I didn't get any notification to renew it, and GoDaddy will not let me renew it since it is not mine.

It does seem simpler to generate the csr from the server that A.A. resides and then use it on GoDaddy or DomainIt or the others. But, I also find it hard to believe that the first GoDaddy tech would sell me a wildcard SSL and not know how to set it up. The suggestions on here will likely get me through this, but a phone call with Microsoft and GoDaddy would probably fix the situation. Meanwhile I log in with Chrome's new remote which is free and works pretty well.

It is also weird that Microsoft remotes in with either Quick Assist or LMI.
Certs have been free for years.

https://www.experts-exchange.com/questions/29178012/Exporting-a-UCC-SSL-to-a-Windows-Apache-Web-Server-and-Configuring-Apache-to-use.html provides details about working with free LetsEncrypt certs...

1) Initial cert generation

2) Hands-free auto-renewal forever

3) Server bounce (stop/restart/reload) to re-ingest certs whenever cert renew.
Thank you David. My problem stemmed mainly from a cert out there that Microsoft was responsible for and let lapse. It was strange, and I didn't know what to do.

I believe I will get my money back for the wildcard cert. GoDaddy is helping.  I canceled my appt with Microsoft today as I am not sure they understand. It's been difficult explaing to GoDaddy how the remotewebaccess.com works and to Microsoft what the lapse for the SSL with GoDaddy has been. Both have me call the other.
Microsoft used to offer the "remotewebaccess" service for free with Essentials and before that Home server, but not SBS.  They no longer support it so you have to provide a domain name and buy a certificate, the same as was required with SBS.  You can use any domain name you like so long as DNS for that domain is configured to point the host name to your essentials server (RD Gateway).  The common choice is your company domain name and the prefix (host name) remote.  You can use most any certificate but not all will work with the wizard.  Godaddy certs work well and they have fantastic support.  You don't need a wild card certificate just the standard SSL which is about $80 US. Godaddy does have an install process but you should use the wizard instead.  I suspect a large percentage of Microsoft support staff these days have no ide what you are asking.
Hopefully this works. Currently, rvpxkejrrelj.remotewebaccess.com is the domain still. GoDaddy still has that SSL. They let me renew it. But, so far not currently working. Not sure if it needs to propagate now. I did ipconfigs and it shows rvsxkfsjlre.remotewebaccess.com is still the domain name. It should work, atlhouigh GoDaddy wants to configure it I guess in certain certificate folders. But, it should already be there.

No Microsoft doesn't really know much about it. 
It's not just a certificate issue.  If Microsoft no longer offers the service you would need to be able to manage DNS for remotewebaccess.com so that you can point rvsxkfsjlre.remotewebaccess.com  to your server.  You cannot.  Microsoft did this by a tool within Essentials that reported your current public IP to their servers.  Basically a DDNS service.  You also cannot renew the rvsxkfsjlre.remotewebaccess.com  certificate because you cannot prove domain ownership.
They let me do it due to my GoDaddy membership. It is already made.
Hi Rob,

So, did Microsoft stop this service on June 15? Was it stopping what made the GoDaddy SSL say it was expired? I am just asking.

Sorry about the masks I use on my domains. I don't know which I am supposed to reveal and which not to.
I have never used the service, I have always used a client domain name and purchased certificates but I thought I had heard more than a year ago Microsoft was going to drop the service and everyone should do the same.  I just Googled it and apparently it still works but has been flaky and there have been a lot of issues the last 2 months relating to TLS versions and DDNS as a result of updates.   The blogs point to the following article in German.  If using edge you can get a reasonable translation.  I admit I have not even read it, but may put you on the right track.  Having said that all of the information I provided using your own domain and certificate still works.  I am no help with the fix as I have not dealt with the service or the problem.
Windows SBE remotewebaccess.com Update fails | Windows SBS and Essentials Blog (sbsland.me) 
Thanks Rob,

Yes, I have been working on remote.riverviewpediatrics.org and used it in the wizard. One GoDaddy tech helped me get the old cert back. So far working on that, the flaky one. Microsoft did upgrade TLS to 2.1 if that is the highest.

The other tech went with the above domain name, but gave me an unneeded wildcard certificate, which are way too pricey.

This won't happen, but I wish Microsoft and GoDaddy could talk.
You mentioned, "I believe I will get my money back for the wildcard cert."

Likely yes. GoDaddy provide refunds fairly easily.
As far as trying to RDP to remotedfjerssffe.riverviewpediatrics.org I am unable anyway to set it up as the domain using Access Anywhere. I haven't tried specifically removing the given domain as it states it may break other things.

Well, I did get my money back. I will start back at it on Saturday.

I think either try something like example.riverviewpediatrics.org and get an SSL.

Or just try to set up RDP via an RD Gateway.

GoDaddy does have good support. But, with chat, they just say: "Do this, do that, read this, read that...it will work then...go get 'em."
SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Rob. Yeah it has to be done by the wizard. GoDaddy has been wonderful but that is what I mean. I get a new tech and a new answer. But, they won't follow it all the way to the end. They will say something like, "OK, all set up. Just follow that guide and use IIS. It WILL work. Then it doesn't work.

Am I wrong? Isn't it best to get the CSR first from the wizard then use it to get the pfs or whatever? Or the cert and private key. I know there was one time I imported the correct file and it needed a password.

Which is the best way: Configure or Set up.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Quick question before I respond. I never know what domains, addresses, etc. to mask for not. If the name is, for example, "remotetorvp.remotewebaccess.com" do you not want people to know the "remotetorvp" part? Seems they could connect at least as far as a user's username and password?

On the other hand, how difficult is it to guess? I mean my IT had it "rvpediatrics" Knowing the name of the site, the fact that it is pediatrics, people using the word "remote" a lot....
Firstly it is no more difficult than when using remotewebaccess.com.
There is an argument for buying and using an unrelated domain name like my_pet_fido.com since without Exchange there is no need to use your domain.
However you should have group policy configured to enforce complex passwords and lock outs after 'X' (my preference is 4) wrong guesses.  Yes they can guess user name and password but almost impossible to do with complex password in less than 10,000 guesses and you locked them out after 4.  I am starting to implement Duo on my RD Gateway servers to enforce multifactor authentication for remote access. Should someone somehow obtain a password through phishing I am hoping this will protect the site.
OK, the final answer. Based on Rob's post but only after the fix. First the article mentioned should be aptly named:

Renew SSL Certificate for 2012 R2 Essentials WITHOUT MICROSOFT OR GO DADDY HELPING IN ANY WAY! KEEP THEM THOUSANDS OF KILOMETERS AWAY FROM YOUR CHAT OR PHONE.

First, let me say that while I have requested or renewed a few domain names or certificates or whatever, it has always started with me using a CSR to generate the code to use on the registrar company such as DomainIT.com. From there, they generate the .crt and .pf7 files. GoDaddy support tech #5 didn't like the .pf7 files so he gave me an exchange to insure I could change it to .pfx.

GoDaddy tech #1 made the files for xxxxxx.riverviewpediatrics.org, but like all of them told me IT WOULD WORK, go now and fix it and you will be home in time for a Heineken and the sequel #3 of The Matrix. Well, I could never get it to work, and would return to GoDaddy, who upon reading the account would give something else to do, which always made sense, but they never walked me through it, and unfortunately as far as I could tell these companies do not remote to your server. Now, keep in mind all of this was being done while Microsoft was spending hours on my Access Anywhere upgrading to Tier 2 and then 3 or double teaming, seeming to either read their manual or taking five minutes to read every work on Access Anywhere that I had memorized hours before.

The fact that MS and the tech specialist for SBS now = to Windows Server Essentials knowing the issue was with GoDaddy's certificate of rvpediatrics.remotewebaccess.com was not valid as of June 15th did little to help them solve the problem. The interesting thing is the case is still open, I had only asked for 24 hours to regather my thoughts = work through it with EE.  So, step by step, if you are interested with the article Rob gave.

Generate the SSL request on the server: While I had done this and copied and pasted it, no one wanted it and it just stayed on a note pad file.

Part One -- Server:

I didn't uncheck that box when I had the files for xxxxx.riverviewpediatrics.org and things never worked out.

I did not uncheck it when rvpediatrics.remotewebaccess.was renewed for $79.00 as I thought that simply renewing it would fix everything. I waited hours for it to "propagate" into the cyber atmosphere. This was the answer GoDaddy support tech #6 gave me, and I was quite happy to have my old cert back.

At times I checked the Import a new trusted SSL certificate or the one below depending on MS or GD or just my random troubleshooting.

Rob, if he remembers me, would have bet $1,000s I would check the box with the yellow triangle which states you can check this, but then you will break everything on on your server and every server within two miles of your office (a bit of an exaggeration in case anyone wanted to commented on that).

I had gotten to this page several times with the proper words in the three boxes, which I must admit were too simple even for MS, but the difference between buying a new one and using an exiting one was never very clear to me given all of the choices.

The next screen -- (see above). It is about here on day three that I ask for my $379.00 and $79.00 back, which they did. But, not without GD tech #7 trying to tell me he could fix it. Where is Susan Bradley when you need her?

Of course, you then would have received the two files .crt and. p7b obtained the corret way, but I will say and I will never know that I had those files from GD support #1. (This is actually 1a as this started with a 5 am phone call to GoDaddy wherein the GD support tech was very nice but basically ended the conversation with, "please just go away." Especially, since I didn't have an account and rvpediatrics.riverviewpediatrics.org really belonged to MS.

Part Three -- Server:

Well, the author of this great blog post alludes to the MMC and the intermediate file from GoDaddy. If only MS or GD would have just humored me and gone there and done what KW suggested, xxxxx.riverviewpediatrics.org may have been my new domain name.

Cert insert.GIF

PART 4 THE FIX:

I don't know. Somewhere around 11 am EDT, I ran through the wizard again. And, for those of you who watched "Queen's Gambit," I just started at the ceiling watching the whole process play out over and over and on the ceiling even without the 'greenies,' drugs we are not allowed to use while see patients, I had an epiphany. Did some settings, then clicked on repair. Closed the VM and saw patients until 6 pm EDT. Sitting down tired, I went to xxxxxESS as I do some small backups from there. Out of the corner of my eye, I noted a green checkmark on a window which stated that remotexxxxx.remotewebaccess.com was now my domain. I didn’t really trust it, but upon arriving home, I slowly typed the new name into the server settings of RDP. Clicked connect and got that wonderful yellow certificate which means something but to me it always means the next click will work, AND IT DID.

So, while I will spend a few minutes trying to score this with EE's new scoring system (sorry if I screw it up) I wish I could stop it from saying there is a solution, because anyone following my comments will never get this to work.

And, finally, the ultimate question. How long will the new cert last? How do I upgrade it? Maybe it is now on my GoDaddy's account. So, while I am not completely impressed with GoDaddy, they get the benefit of the doubt due to those wonderful SuperBowl advertisements. I am also convinced, if I simply needed an SSL for an existing domain, they could have helped me
So, the certificate is in the personal store in the certificate manager. Looking at the old one, it appears to self-renew every one to four days. What makes it expire I don't know.

How do I find out how to renew this one. Sometimes I do feel that I should actually purchase one that goes in the Trusted Certificates Authority and is truly mine and I can renew or auto-renew based on settings and I can purchase a new one.
Microsoft owns remotewebaccess.com and it has been up and down. More down than up lately
https://www.whois.com/whois/remotewebaccess.com
So, maybe all that was just they were "down." Do you mean the whole setup was down?
Microsoft has pretty much abandoned remotewebaccess.com, they would prefer we all use server standard and if possible a cloud variation.  Support is difficult to find for Essentials features.
There is nothing you can do to renew the remotewebaccess.com certificate, as David said , Microsoft owns that domain. The fact is from what I have read the certificate did not expire, rather that error message was a red herring and repairable in the registry as per one of the links I provided pertaining to moving to TLS 1.2
If you paid $79 the certificate expires in one year.  Heads up they will send you a panicy notice that it is expiring 3-5 months before it does.  To renew you go through the same process except do not change the host and domain names. i.e. run the wizard, upload a new CSR, wait for approval, download and complete the wizard.
Did you use the MMC to import the pb7 intermediate certificate?  Seems to work fine without doing so but that is part of Microsoft's recommended procedure.
pretty much, there's many a reditt thread on this .. about a year ago they changed name servers to comlaude.com
https://downforeveryoneorjustme.com/remotewebaccess.com is down
https://www.experts-exchange.com/questions/29219854/GoDaddy-versus-Microsoft-and-I-am-IN-the-middle-and-OUT-379-00-the-story-of-the-SSL-from-hell.html#a43313124 

Yes, Rob, you are correct. At least from watching Tier III go through the Registry.

This is what Microsoft stated they accomplished on one of their efforts:

  • Checked DNS pointing – set IPV6 to automatic (should this have been IPV4)
  • Created reverse lookup zone, as nslookup is not resolving the server name.
  • Set the TLS settings for TLS 1.2.
  • Rebooted the server, issue still persists.
Don't get me wrong. Once I get Microsoft to do a support incident, they are usually incredible. I think part of it was they were slightly depended on GoDaddy. So, GD was trying to do what they normally do and had no idea what Access Anywhere was. I haven't seen them charge for a wild type certificate for what I was doing. Certainly didn't need every subdomain. What I don't understand was why Microsoft had to pass this off several times, not because they needed someone that specializes in it, but that they didn't seem to be all over what the deal was with Access Anywhere.

@David you may be referring to the time that Access Anywhere went down due to DNS issues. As Rob always says it is always DNS. IT support around the world was freaking out as their customers couldn't remote to their servers. Microsoft knew the issues and fixed it.

I apologize to my long-winded, didn't really make clear sense, last post. Rob is used to them so he speaks "Bert."