Good day everyone,
Run into an issue with a site I do IT support for, of course the day before vacation.
So the site has a single Server acting as the DC and their Exchange Server, and within the past couple of days its come to its first certificate renewal. After the certificate renewed all of their users began getting a security alert pop up giving this for a run down:
autodiscover.mydomain.ca
Information you exchange with this site cannot be viewed or changed by others. However, this is a problem with the site’s security certificate.
(check mark) The security certificate is from a trusted certifying authority
(X) The security Certificate has expired or is not yet valid
(Check mark)The security certificate has a valid name
Viewing the cert shows it was issued to autodiscover.mydomain.ca, issued by R3, Valid from 3/24/2021 to 6/22/2021. So obviously still trying to use the old certificate.
Now I’m running Certify 5.4.3.0, it shows the certificate for autodiscover.mydomain.ca will Expire in 89 days. If I go under Managed Certificates> Advanced> View Certificate it all looks correct there and give me the option to install it, which I have clicked but still shows install cert afterwards.
If I go into IIS Manager and check my certs in there, I can see it showing the certificate with an expiration date of 9/21/2021.
I currently can’t access the EAC for Exchange due to this certificate issue.
Can anyone think of anything I may have missed?
Further update,
Looking at the certificate that Outlook presents when trying to connect to the Exchange server, I’ve also attempted to remove the Certificate via the Exchange Shell using the thumbprint of the cert.
It tells me the certificate isn’t installed.
Hi, I’m not an Exchange expert but generally there are two parts:
- Request/new the certificate in Certify. This seems to be working.
-
Apply the certificate to your service. We do this automatically for IIS on the same machine that Certify is running on, if your IIS bindings use hostnames that match the certificate.
I suspect last time you renewed the cert that you may have manually installed the cert in Exchange?
Alternatives would be:
- Use a deployment task (under Tasks) to apply the cert to Exchange via Powershell. We have a basic Deploy to MS Exchange task that you may or may not be using.
- Or, use your own script to deploy the certificate to Exchange. This is useful if you know there are a bunch of things to apply the cert to.
For IIS sites, open the site In IIS manager and check the site bindings. There should be an https binding with the correct (latest) certificate selected. If not, there’s something wrong with either your IIS bindings or the way Certify has been configured to update your bindings. You can Preview how bindings will be updated in the Preview tab (planned binding changes are shown at the bottom of the preview page). This is not done on the ‘Certificate’ view (which just shows everything that’s on the machine), this is on your actual IIS site, under Bindings.
By default your certificate will be in the local computer certificate store (Personal/MY). If you have multiple machines then they won’t know anything about the new/renewed certificate until you either deploy it via powershell or install it to each machine then apply it to the required service.
So further development, after they closed for the day I was able to reboot the server. Ran into a bit of a hairy scenario where Outlook could no longer connect to Exchange (external or internal) and also could now longer access the EAC.
Found out the bindings for HTTPS in IIS needed to have the new SSL cert from Let’s Encrypt set. So back up and going that way.
But I am now getting the error “The name on the security certificate is invalid or does not match the name of the site” when opening Outlook.
If deploying a single cert across multiple parts of exchange (webmail, autodiscover etc) your certificate needs to include all of the names that the service is known by. So for instance:
The odd thing is that you had it working before, so what changed? Did you delete and re-create the managed certificate or perhaps use a different tool to get the first cert? The domains wouldn’t spontaneously disappear from the cert so something else has changed and it would be useful for you to know what so it doesn’t happen next time.
If you have a complete log for the managed certificate you could send it through to support at certifytheweb.com as it may show in more detail how the requested cert varied over time.
that would be awesome, I will send that log file in shortly. I’ve got it so they will at least be able to get through Thursday and Friday.
Cool, I’ll reply to the ticket. It looks like you currently are only requesting a cert for autodiscover..