Exchange health set unhealthy

Hi Gly,

Yes, the localhost reference is fine.

I'm may be digging too many years into the past, but I have a hunch you hit this timeout issue when the CRL URL can't be reached.

Here's a quick-but-lengthy PowerShell one-liner you can run on your Exchange Server host to check if the CRL is accessible from the host itself. Note, I'm on Exchange Server 2019 but I would anticipate this should still work on Exchange Server 2016 given how basic the command is.

Out of sympathy for anyone reading this post, I've also included a formatted version of the same one-liner.

# One-liner.
Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" } | ForEach-Object { $null = certutil -v -store my $_.Thumbprint | Where-Object { $_ -match "\(http.+\.crl\)" }; if (0 -lt $Matches.Count) { $crl = $Matches[0] -replace "[\(\)]", ""; [PSCustomObject] @{ Thumbprint = $_.Thumbprint; NotAfter = $_.NotAfter; Subject = $_.Subject; CRL = $crl; CRLOkay = 400 -gt (Invoke-WebRequest -UseBasicParsing -Method Get -Uri $crl).StatusCode }; } }

# The same one-liner from above formatted for easier reading. You can readily copy-and-paste this version into the PowerShell console window if you like.
Get-ExchangeCertificate | Where-Object { $_.Services -match "IIS" } | ForEach-Object {
    $null = certutil -v -store my $_.Thumbprint | Where-Object {
        $_ -match "\(http.+\.crl\)" };
        if (0 -lt $Matches.Count) {
            $crl = $Matches[0] -replace "[\(\)]", "";
            [PSCustomObject] @{
                Thumbprint = $_.Thumbprint;
                NotAfter = $_.NotAfter;
                Subject = $_.Subject;
                CRL = $crl;
                CRLOkay = 400 -gt (Invoke-WebRequest -UseBasicParsing -Method Get -Uri $crl).StatusCode;
            }
        }
    }

Output

If you find that CRLOkay is True then my recollection is wrong and I'd have to go away and try to reproduce your timeout before I could attempt to give myself a refresher.

Cheers,

Lain