Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

problems with SSL 1

Status
Not open for further replies.

reynolwi

IS-IT--Management
Sep 7, 2006
452
US
Ok... I may be posting in the wrong area but Im having problems with a new SSL certificate. I had a GoDaddy certificate installed on my exchange 2010 server and it was time for renewal. Well I decided to try a Comodo Essential SSL certificate instead of GoDaddy since I could get it cheaper from Comodo.

I created a new CSR request from within IIS ensuring I used the same info from the past CSR request so it matched the current certificate and got a new SSL cert issued from comodo. I removed the old GoDaddy and installed the new SSL from Comodo in IIS and installed all the Intermediate certs and such. Everything is looking good so I revoked the old GoDaddy and removed it so it didnt renew and that started my problem.

I can not access https:// for exchange or even the server. Its telling me that my SSL cert has been revoked. When I run an SSL check on the domain name the SSL cert was issued to it comes back with the old GoDaddy cert and not the new one.

What happened? Why is it using the old cert? I went into exchange console under server settings and I just now noticed its showing the new cert from comodo as not being a vaild exchange certificate.

Wm. Reynolds
Senior VP - Information Technology and Fleet Operations
Texas Public Safety Solutions | PremCOM

- - - - - - - - - - - - -

Network Error:
Hit any user to continue
 
and just to clarify... The old GoDaddy cert was a single domain certificate and so is the new Comodo cert. I dont have it setup for autodiscover or anything else. I do not have POP3 or IMAP turned on. Just activesync, owa, outlook anywhere for remote clients to connect outlook over http.

Wm. Reynolds
Senior VP - Information Technology and Fleet Operations
Texas Public Safety Solutions | PremCOM

- - - - - - - - - - - - -

Network Error:
Hit any user to continue
 
If you do a Get-ExchangeCertificate, what certs does it show, and for what services?

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
It shows 2 certificates. The first one shows to be the EssentialSSL cert that I just got and put in IIS. The second shows just the server name so im guessing that is its selfsigned cert that it uses.

The Certs show the following...

Services Subject
--------- -----------
......... CN=servername.domain.net, OU=EssentialSSL, OU=Domain Control Validated
IP..S. CN=servername

Wm. Reynolds
Senior VP - Information Technology and Fleet Operations
Texas Public Safety Solutions | RRWDS

- - - - - - - - - - - - -

Network Error:
Hit any user to continue
 
And as of this morning no smart phone can connect to the server. All the iphones are reporting they Can not get mail. The connection to the server failed.

Only physical outlook clients can connect that are on the network or connected thru VPN. Outlook clients not connected to the VPN or the network are failing to connect via Outlook Anywhere RPC/HTTPS

Wm. Reynolds
Senior VP - Information Technology and Fleet Operations
Texas Public Safety Solutions | RRWDS

- - - - - - - - - - - - -

Network Error:
Hit any user to continue
 
So, it looks like the trusted cert isn't enabled for services. It should be enabled for IIS and SMTP.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
So how do I get this changed Pat? The old GoDaddy cert didnt have any problems, but I put this one on and I guess I didnt do something right. I just need the SSL for SMTP, OWA, Outlook Anywhere for RPC/HTTPS, and Activesync for the smartphones, and I guess IIS.

It just seems like exchange isn't picking it up right.

Wm. Reynolds
Senior VP - Information Technology and Fleet Operations
Texas Public Safety Solutions | RRWDS

- - - - - - - - - - - - -

Network Error:
Hit any user to continue
 
As always Pat you are awesome. That fixed my problem and its now showing the EssentialSSL as ...WS. under services.

Question though... In EMC under server configuration and exchange certificates its still showing the EssentialSSL as "The certificate is invalid for Exchange Server usage." but all my smartphones are now working again and so is OWA and Outlook Anywhere. Does this matter?

And I guess when this cert expires I need to get a multi domain cert for autodiscover and such to work correctly.

Wm. Reynolds
Senior VP - Information Technology and Fleet Operations
Texas Public Safety Solutions | RRWDS

- - - - - - - - - - - - -

Network Error:
Hit any user to continue
 
There should be something in the event logs to indicate problems with the cert, if they exist.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top