I have a newly setup hybrid from an Exchange 2016 single server on premises. The migration of mailboxes has run ok but mail is not flowing between 365 and on-premise and before we redirected the MX record it wasn't flowing the other way either.
A few of the symptoms I have are
Running a validation email on the 365 outbound connector fails with the message
450 4.4.317 Cannot connect to remote server [Message=SubjectMismatch] [LastAttemptedServerName=remote.mydomain.com]
The newly purchased GoDaddy certificate clearly has that as a SAN. Specifically, the subject is my.domain.com and the Subject Alternative Names are www.mydomain.com, remote.mydomain.com and autodiscover.mydomain.com. Exactly as specified by the MS documentation for hybrid certificates
On the Exchange server we still have messages held in the queue to mytenant.mail.onmicrosoft.com, those that came in from external before the MX record change. The last error is
(LED=451 4.4.395 Target host responded with the error. -> 4220.127.116.11 Certificate validation failure, Reason:untrustedRoot);(MSG=);(FQDN=mytenant-mail-onmicrosoft-com.mail.protection.outlook.com)
Everything seems to state that there's a certificate issue. The server is fully patched and up to date and root certificate windows updates isn't blocked. We have rerun the HCW, disabled TLS 1.0 and 1.1 and remove and re-added the certificate. The state is exactly the same
The TlsCertName on those connectors, have they been configured and has the certificate recently been renewed and is there a mismatch between TlsCertName <I>X<S>Y, where X is not the actual issues any longer or Y mismatches the subject? Sometimes CA's change (intermediate) root certs and you have this phenomenom.