Hi everyone,
Have a new-to-me client who is having a security certificate issue. Their previous IT guy passed away so I’m unable to check anything with him.
So before I start, I am aware this server OS is vastly out of date and is going to be an obstacle until I can get them updated. Its a work in progress.
So they have a server running SBS2008 that has Exchange 2007 installed on it. I’m not certain what version of Certify the Web they are running, because as soon as I open the app I am presented with the notification they need to update to 5.4.3 and if I hit no I of course get the notification that the app is no longer supported and the UI closes.
Looking into IIS it appears it should have a certificate that was renewed on May 31 and should still be good, however their Outlook clients are seeing the one that expired on July 9th.
Is there any way to get the Certify app to open so I can look at the configuration without the notifications shutting me out?
One extra item it add.
They have a second server onsite that is running 2012 R2, while I know Exchange 2007 isn’t compatible with 2012 R2, I’m thinking I might be able to obtain certificates through this server for their sites.
Hi,
Sorry to hear this, that must be quite challenging.
So you are correct, you don’t need to generate certs on the same machine that will use them, it’s just more convenient because you can run deployment scripts on the same machine automatically when the cert renews. SBS 2008 is too old for any current version of Certify so you are going to need to get your certs on another machine and copy them across then install them.
To circumvent the app closing on update check you’d need to temporarily block update checks on startup, so edit the file C:\ProgramData\Certify\appsettings.json and set "CheckForUpdatesAtStartup": true to false
Have a look under Add/remove programs to find out the currently installed version number of Certify then drop an email with the details to support at certifytheweb.com and I’ll try to help from there. I suspect you probably have version 3.x because it sounds like you are hitting the mandatory upgrade which we only use if your version is so unsupported that it’s just not going to work any more (Let’s Encrypt have changed their API multiple times over the years).
We need to figure out if your old renewals used any scripts, if so it’s important to find those and grab a copy as this could be useful to automate future cert updates.
In the meantime, you can use a different machine to get a certificate for the names you need (I believe for Exchange your cert will usually include autodiscover.yourdomain.com then whatever names the mail services have, like webmail.yourdomain.com and mail.yourdomain.com etc).
You will need to use DNS validation ( the Authorization tab) because http validation only works from the same machine operating those services. If we don’t have support for your DNS provider API check out Certify DNS (https://docs.certifytheweb.com/docs/dns/providers/certifydns). If you need help with that or have other questions please ask in your support ticket email.
Once you have a cert generated on a different machine you can copy the PFX file using a script or Task (the Certificate Export task will give you a PFX in the destination of your choice), or manually via Certificate > Advanced > Actions (copy the path). You will then need to import the certificate into the certificate store of the target machine, then run whatever Exchange Admin UI you have to assign the certificate to all the services.
p.s. it’s worth providing a zipped copy of your C:\ProgramData\Certify folder as part of your support ticket (maybe linked via onedrive or dropbox etc), then we can see what configuration you have.
So this got set on the back burner due to the needs of some other clients of mine, over the weekend I caught the cert was expiring and went with the work around of getting the Server running Server 2012 to pull the certificate, exported it out, imported onto the old server, setting the bindings for IIS, IMAP, POP, and SMTP.
Everything seemed good the next day, remoted into the site and logged in as a user to verify Outlook didn’t get any SSL cert expiry warnings, everything seemed good.
Got a call from this site today and their remote users who access their email through their phones are getting “Cannot Get Mail, The connection to the server failed”.
Any ideas?
I’m not an exchange expert but I’d get the them to restart their phones for a start and I’d probably try a restart of your server.
It’s also possible there is some interconnected service like a gateway? There could be a connector somewhere that also needs to the new certificate applied.
Ultimately the specific of deployment of a certificate (or multiple certificates) will vary wildly between different uses/configurations so if simple restarts don’t fix it then I’m afraid you have to validate your entire service configuration to ensure that all services using certificates currently have a valid cert, then document what needed to be updated for next time. These may be across multiple machines/servers.