Trusted Certifying Authority Certificate

[snotty54]

Dear All:

I've been trying to sort out this problem for a while. I thought that maybe it wasn't important but because I'm seeing about 15-20% of my outgoing mails not arriving (via Exchange non-delivery email) I'm starting to think it may have something to do with that. The details are:
1. SBS 2008 / Exchange 2007
2. Hosted domain, all email direct smtp to my server
3. Go-Daddy Certificate

The error that pops up is a dialog box that identifies itself at the top as: autodiscover.domain.ext. It states there is a problem with the site's security certificate and then states the following:
1. The security certificate is from a trusted certifying authority
2. The security certificate date is valid
3. The name on the security certificate is invalid or does not match the name of the site.

I always click yes to proceed. When I first came across this problem, I checked with Go-Daddy and their site allows one to "re-key" the certificate so I went through the adding a trusted certificate wizard in Exchange and used the csr generated to re-key the certificate, but I'm still getting this error.

I've noticed on some Exchange Error messages that my internal domain is referenced in the email error dialog as the domain sending out the email although my external domain, where all my mx records point to, is different.

Does anyone have an idea of what this is and how to fix? If this is a dumb question, I apologize.

Any help appreciated,

Scott

 

[NJForensics]

GoDaddy has intermediary certificates which must be installed to establish the full certificate chain.

Do you have the GoDaddy intermediate certificate(s) installed?

See this link...

http://help.godaddy.com/topic/742/article/4801

Also, I doubt your NDR's are a result of a incomplete certificate chain. If you want to post the NDR status messages, maybe I could offer some insight.




Chris Clancy, EnCE CCE

MCITP: Enterprise Messaging
MCITP: Server Administrator

" ... when you can't figure out what the problem is, find out what it isn't.... "

 

[snotty54]

Hi Chris:

Thanks, I think you've hit on it. I now remember there were 2 items that came in the Go Daddy zip and I didn't know what to do with the other one. Thanks for the article link, I'll work on that tonight.

Scott

 

[NJForensics]

Scott-

Glad I could help... good luck.

Chris Clancy, EnCE CCE

MCITP: Enterprise Messaging
MCITP: Server Administrator

" ... when you can't figure out what the problem is, find out what it isn't.... "

 

[snotty54]

Hi Chris:

I installed the Go Daddy intermediate certificate per the instructions in the link, and all seemed to go well. I'm still getting the dialog box popping up though. The install procedure went on with the SSL cert install but that had already been installed with adding the trusted certificate wizard a while back, so I didn't go forward with that. Would the ssl cert have to be reinstalled once the intermediate was done, again? If so, is there a requirement to un-install the ssl first then re-install? I don't want to break the exchange.

Thanks,

Scott

 

[NJForensics]

You shouldn't have to "reapply" the SSL after installing the intermediate certificate. If you view the SSL, specifically the Certification Path tab... do you have the GoDaddy chain there... and does the Certificate Status indicate as OK?

Chris Clancy, EnCE CCE

MCITP: Enterprise Messaging
MCITP: Server Administrator

" ... when you can't figure out what the problem is, find out what it isn't.... "

 

[snotty54]

Hi Chris:

Yes, Go Daddy chain is there and certificate status is OK. About the only thing off thing is in the procedure to install the intermediate cert, the last 2 procedures were to disable the Go Daddy Class 2 Certificate Authority, and it was already disabled, and then disable the Starfield Class 2 Certificate Authority but there was no Starfield Class 2 Certificate Authority to disable. I wonder if that is significant?

Thanks,

Scott

 

[snotty54]

Hi Chris:

Hope you catch this update. Its been 15 days since we last communicated on the problem I describe in the first post on this thread and it still is not working. I seem to be getting more of the exchange non-delivery of email now, to seemingly unrelated domains. Here is an "NDR" from today:

Delivery is delayed to these recipients or distribution lists:

Cathy Church

Subject: RE: Ocean Club

This message has not yet been delivered. Microsoft Exchange will continue to try delivering the message on your behalf.

Delivery of this message will be attempted until 12/17/2010 3:46:39 PM (GMT-05:00) Indiana (East). Microsoft Exchange will notify you if the message can't be delivered by that time.

Here is a worst one, the most common:

From: Microsoft Exchange
Sent: Wednesday, December 15, 2010 2:58 PM
To: Scott Roe
Subject: Undeliverable: RE: Pinnacle #20


Delivery has failed to these recipients or distribution lists:

Paula McCartney - Crighton Properties Ltd
Microsoft Exchange has been trying to deliver this message without success and has stopped trying. Please try sending this message again, or provide the following diagnostic text to your system administrator.

_____

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: ROESERVER.roenet.local

paulamc@crightonproperties.com
#550 4.4.7 QUEUE.Expired; message expired ##

Original message headers:

Received: from ROESERVER.roenet.local ([fe80::64f0:4457:317c:70b0]) by
ROESERVER.roenet.local ([fe80::64f0:4457:317c:70b0%10]) with mapi; Mon, 13
Dec 2010 14:54:36 -0500
From: Scott Roe <scottroe@scottroe.ky>
To: Paula McCartney - Crighton Properties Ltd <paulamc@crightonproperties.com>
Date: Mon, 13 Dec 2010 14:54:34 -0500
Subject: RE: Pinnacle #20
Thread-Topic: Pinnacle #20
Thread-Index: AcuYthnw76evpmZ/Q/yD7Z7lkOhg3QCLxcsQAAEYhmAAAEqXwAAFLkNQ
Message-ID: <781EA558F74E9C4BA7D79939BD059F83017695AD05@ROESERVER.roenet.local>
References: <781EA558F74E9C4BA7D79939BD059F83017695ACE2@ROESERVER.roenet.local>
<024101cb9ae5$432afc70$c980f550$@com>
<781EA558F74E9C4BA7D79939BD059F83017695AD03@ROESERVER.roenet.local>
<026901cb9aea$cfbbb080$6f331180$@com>
In-Reply-To: <026901cb9aea$cfbbb080$6f331180$@com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Now, my external domain is mail.scottroe.ky and different from the internal: roeserver.roenet.local. Is that the problem?

Thanks for any help. I also think this is the root of why the go daddy cert is still giving me an incorrect "site" name.

Thanks,

Scott