cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New SSL certificate can no longer log in to ECP

Audi9112430
Copper Contributor

‎Sep 12 2022 04:29 PM - edited ‎Sep 12 2022 05:23 PM

‎Sep 12 2022 04:29 PM - edited ‎Sep 12 2022 05:23 PM

New SSL certificate can no longer log in to ECP

Hello everyone, 

I'm being faced with a very strange situation which I've never faced before. 

I think I understand what happened but I don't understand how to fix it.

 

One of my on-prem Exchange 2013 servers had a certificate expire today. Not a big deal I got my new certificate from Go Daddy, exported it how I've been doing for the last 10 years. Created everything correctly as I've always done. I completed my certificate request correctly the certificate showed up in my ECP. I then went to add the Exchange services (IIS / SMTP in my case) and immediately when I pressed OK my browser said "Your session timed out" and since then I can no longer log in to ECP.

 

Strangely, it seems that the certificate imported correctly. All my emails started to work again, the phones started to work, when I visit my owa from the web and I look at the certificate it is showing the correct certificate. 

 

However, internally, I show the following error:

 

 

 

Cmdlet failed. Cmdlet Enable-ExchangeCertificate, parameters -Services "IIS, SMTP" -Identity "SERVERNAME.domain.local\THUMBPRINT".

 

 

 

Basically, when I try to go to my ECP the page loads normally, I put it in my username and password, press enter and then page just refreshes and I have to put my password again. No error, nothing. I've tried putting in a wrong password and the page tells me that I've put in the wrong password so I know it's doing something. 

 

I tried different accounts same error. I tried going in the IIS settings and reverting to the old certificate on the Exchange Backend, no change. I tried restarting the ECP APP Pool,  tried Recycling it, same error. 

 

I then tried to Powershell enable the certificate with the command

 

 

 

Enable-ExchangeCertificate -Thumbprint THUMBPRINT -Services POP,IMAP,SMTP,IIS

 

 

 

and I am returned with the following error

 

 

 

A special Rpc error occurs on server SERVERNAME: The certificate with thumbprint THUMBPRINT
was not found.
    + CategoryInfo          : ObjectNotFound: (:) [Enable-ExchangeCertificate], InvalidOperationException
    + FullyQualifiedErrorId : [Server=SERVERNAME,RequestId=ef042e79-e954-4d7a-ac1d-2801af6757a6,TimeStamp=9/12/2022 11:11:5
   4 PM] [FailureCategory=Cmdlet-InvalidOperationException] FE7E0D3C,Microsoft.Exchange.Management.SystemConfiguratio
  nTasks.EnableExchangeCertificate
    + PSComputerName        : SERVER.domain.local

 

 

 

 

I tried also restarting the certificate propagation service and all the exchange services, no go. 

 

I also tried this with a very old version of chrome (V49), no luck

 

I'm at a loss any help would really be appreciated on this. I need to be able to get to the ECP I use it pretty often

 

Thank you very much!

Labels:
1,304 Views
0 Likes
3 Replies
Reply
3 Replies
Audi9112430

‎Sep 12 2022 05:38 PM

‎Sep 12 2022 05:38 PM

Re: New SSL certificate can no longer log in to ECP

I also noticed (I have no idea if it was there before I never paid attention) that the certificate
Exchange Server Auth Certificate
Is not present.
When I do "get-exchangecertificate" command I have the following certificates available

Exchange Delegation Federation
WMSVC
My old expired certificate
My new certificate
0 Likes
Reply
Audi9112430

‎Sep 18 2022 06:05 AM

‎Sep 18 2022 06:05 AM

Re: New SSL certificate can no longer log in to ECP

Hello!
Does anyone have any insight on this?
0 Likes
Reply
Audi9112430

‎Sep 29 2022 07:13 AM

‎Sep 29 2022 07:13 AM

Re: New SSL certificate can no longer log in to ECP

Hello,
I haven't posted here in a while but does anyone have any suggestions for this?
0 Likes
Reply