Autodiscover SSL Certificate showing as expired - Exchange Hybrid

%3CLINGO-SUB%20id%3D%22lingo-sub-1767319%22%20slang%3D%22en-US%22%3EAutodiscover%20SSL%20Certificate%20showing%20as%20expired%20-%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1767319%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20having%20issues%20with%20our%20Autodiscover%2C%20we%20only%20just%20noticed%20this%20issue%20yesterday%2C%20which%20is%20when%20our%20old%20SSL%20cert%20expired.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20noticing%20this%2C%20I%20checked%20IIS%20on%20both%20Hybrid%20Exchange%20Servers%20and%20noticed%20the%20old%20SSL%20cert%20was%20bound%20to%20the%20web%20services%2C%20changed%20this%20to%20the%20new%20cert%2C%20restarted%20the%20web%20services%2C%20also%20restarted%20the%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20yet%20no%20change%20to%20the%20certificate%20associated%20with%20autodiscover!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20SSL%20cert%20was%20updated%202%20weeks%20ago%2C%20via%20the%20cert%20store%20and%20running%20hybrid%20configuration%20wizard.%3C%2FP%3E%3CP%3EMail%20flow%20seems%20to%20be%20fine%2C%20I%20can%20see%20in%20the%20smtp%20send%20logs%20that%20the%20tls%20connector%20is%20using%20our%20new%20SSL%20certificate%20with%20the%20correct%20credentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20insight%20into%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1767319%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1769420%22%20slang%3D%22en-US%22%3ERe%3A%20Autodiscover%20SSL%20Certificate%20showing%20as%20expired%20-%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1769420%22%20slang%3D%22en-US%22%3E%3CP%3ECheck%20that%20article.%20Despite%20changing%20cert%20with%20IIS%20you%20need%20to%20apply%20it%20with%20exchange%20servers%20services%20as%20well.%3C%2FP%3E%3CP%3EGreg%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Farchitecture%2Fclient-access%2Fassign-certificates-to-services%3Fview%3Dexchserver-2019%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Farchitecture%2Fclient-access%2Fassign-certificates-to-services%3Fview%3Dexchserver-2019%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1770574%22%20slang%3D%22en-US%22%3ERe%3A%20Autodiscover%20SSL%20Certificate%20showing%20as%20expired%20-%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1770574%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F645969%22%20target%3D%22_blank%22%3E%40SysGreg%3C%2FA%3E%26nbsp%3BThank%20you%2C%20I%20will%20take%20a%20look%20at%20this%2C%20check%20our%20settings%20and%20update%20you.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771648%22%20slang%3D%22en-US%22%3ERe%3A%20Autodiscover%20SSL%20Certificate%20showing%20as%20expired%20-%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771648%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F645969%22%20target%3D%22_blank%22%3E%40SysGreg%3C%2FA%3E%26nbsp%3BI%20can%20confirm%20that%20the%20new%20SSL%20cert%20has%20been%20associated%20to%20SMTP%20and%20IIS.%20It's%20visible%20via%20Powershell%20and%20also%20in%20EAC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlthough%20i%20have%20not%20deleted%20the%20old%20SSL%20cert%20yet%2C%20I'm%20guessing%20its%20safe%20to%20get%20rid%20of%20it%20now%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1772518%22%20slang%3D%22en-US%22%3ERe%3A%20Autodiscover%20SSL%20Certificate%20showing%20as%20expired%20-%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1772518%22%20slang%3D%22en-US%22%3EBrowse%20the%20site%20from%20the%20internet%20and%20if%20u%20still%20getting%20the%20wrong%20certi%2C%20are%20u%20sure%20that%20there%20is%20no%20ssl%20termination%20such%20as%20load%20balancer%20or%20firewall%20which%20is%20intercepting%20the%20traffic%2C%20its%20should%20be%20updated%20there%3CBR%20%2F%3EMake%20sure%20you%20reset%20iis%20also%20to%20force%20it%20to%20load%20the%20new%20setting%3CBR%20%2F%3EEnsire%20that%20iis%20is%20associated%20with%20the%20new%20certificate%3CBR%20%2F%3E%3CBR%20%2F%3E-----%3CBR%20%2F%3EPosted%20from%20mobile%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We are having issues with our Autodiscover, we only just noticed this issue yesterday, which is when our old SSL cert expired.

 

After noticing this, I checked IIS on both Hybrid Exchange Servers and noticed the old SSL cert was bound to the web services, changed this to the new cert, restarted the web services, also restarted the server.

 

But yet no change to the certificate associated with autodiscover!

 

Our SSL cert was updated 2 weeks ago, via the cert store and running hybrid configuration wizard.

Mail flow seems to be fine, I can see in the smtp send logs that the tls connector is using our new SSL certificate with the correct credentials.

 

Does anyone have any insight into this?

5 Replies
Highlighted

Check that article. Despite changing cert with IIS you need to apply it with exchange servers services as well.

Greg

 

https://docs.microsoft.com/en-us/Exchange/architecture/client-access/assign-certificates-to-services...

Highlighted

@SysGreg Thank you, I will take a look at this, check our settings and update you. 

Highlighted

@SysGreg I can confirm that the new SSL cert has been associated to SMTP and IIS. It's visible via Powershell and also in EAC.

 

Although i have not deleted the old SSL cert yet, I'm guessing its safe to get rid of it now?

Highlighted
Browse the site from the internet and if u still getting the wrong certi, are u sure that there is no ssl termination such as load balancer or firewall which is intercepting the traffic, its should be updated there
Make sure you reset iis also to force it to load the new setting
Ensire that iis is associated with the new certificate

-----
Posted from mobile
Highlighted

@ChrisWork Hey, have you talked about this with your firewall guys. Had this case once and it was related to ssl-caching on the central firewall. Had to clear the caches and everything worked as before. 

 

If this is not the case, did you check if the cert is valid? Maybe the URLs for revocation checks can't be reached from the exchange server.

 

Kind regards