Link to home
Start Free TrialLog in
Avatar of SooHow Cheng
SooHow ChengFlag for Singapore

asked on

Why cert error for this ms outlook?

This is using MS Exchange Server 2016. This exchange server is hosting few email domains, such as,,, and A user has her ms outlook setup with,, and was greeted with the following cert warning,

User generated image

Note: the autodiscover is

We pressed the "view Certificate...", both the CA and exchange certs are valid, not exclamation mark. As for the "mx" and "autodiscover" hosts, all these already listed in the certificate. 

In MS outlook, we found that when highlighting "", a "disconnect from exchange" was found on the task bar. Other 2 is without problem.

What is missing from the settings? and how to solve the problem?


Avatar of DEMAN-BARCELO (MVP) Thierry
Flag of France image

The "full" name used for the access is not in the certificate.

Note that the name Autodiscover is only used for configuration, Another name has been configured in Exchange to access the data.

Have you configured a CNAME for Autodiscover in all domains (, def,com, and defined in the local DNS ?
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What you'll get, from the above command, is output like this...

# echo QUIT | openssl s_client -connect 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
            Not After : Dec 18 20:06:44 2021 GMT

Open in new window

So you'll see the expiration date, along with each property covered... which in this specific case is a wildcard cert covering all hosts for this domain, along with the bare domain.
Avatar of SooHow Cheng


Hi all,

Please give me some time to go through your suggested steps
Hi Pete Long,

Thanks for sharing the various URL settings for internal and external. However, think the server side is working fine. The problem should be only on this user desktop.
There's still a server side problem...

# This is correct, although best avoid CloudFlare at all costs, if stable tech is your goal...
net15 # echo QUIT | openssl s_client -connect 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
            Not After : Nov 15 23:59:59 2022 GMT
      , DNS:*,

# This is incorrect, so no lookup for the autodiscover host will ever work...
net15 # echo QUIT | openssl s_client -connect 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
unable to load certificate
140332014576960:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

Open in new window

So what appears to be happening.

1) Your wildcard cert covering * (all hosts) is correct.

2) Your HTTPS config for is incorrect.

Fix: Is to add an HTTPS stanza to cover the autodiscover host.