Certificate trust validation failed
|
From: ian on 18 Jan 2010 17:33 I also recently migrated from SBS2003 to SBS2008 using a swing kit I purchased. For the most part, everything has worked beautifully. One change, though, was that previously, we had just used a self-signed certificate that I always had to manually install on our smart phones (moto-q's and htc touches). I went ahead and purchased a certificate from Verisign and installed it using the request/complete certificate wizard in IIS. Then ran the "configure certificates" wizard in the SBS console and successfully configured that certificate for remote.ogequip.com. The remote site, including /exchange all show a valid certificate. But our smartphones continue to show certificate errors. I have even manually installed the cert on them and it makes no diff. https://www.testexchangeconnectivity.com/ ran a test and gave the following errors: Testing SSL Certificate for validity. The SSL Certificate failed one or more certificate validation checks. Test Steps Validating certificate name Successfully validated the certificate name Additional Details Found hostname remote.ogequip.com in Certificate Subject Common name Validating certificate trust for Windows Mobile Devices Certificate trust validation failed Tell me more about this issue and how to resolve it Additional Details The certificate chain did not end in a trusted root. Root = OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US The link that error leads to indicates that it cannot follow the certificate chain to a trusted authority. But I am unable to figure out how to fix this. I have been reading numerous blogs and technical articles that give different suggestions (such as working in the exchange power shell) but there are quite a few and I don't want to break existing functionality doing them. OWA works. The site shows secure in explorer. It's only activesync that fails. Plus, if it were this complicated to configure, why wouldn't the import cert wizard not take care of all of this? If it was configuring for all the other remote sites, why not OMA functionality? Obviously, I am missing something. Does anyone have any suggestions? thanks. Todd Wagner wrote: Continue to get the cert error 09-Nov-09 I went through the installing a godaddy cert and reconfigured outlook to make the cert primary with the 4 services and adjusted my urls within Exchange. When I launch outlook, it still comes up with the error with Sites listed security alert. i also created the split DNS as well. I don't know what to check now. This is getting old. Any further advice, or is a call into microsoft needed? Previous Posts In This Thread: On Tuesday, September 29, 2009 8:12 PM Bill Glidden wrote: Trusted Cert Woes on SBS 2008 I decided to install a trusted cert from GoDaddy to make access to RWW, OWA and Outlook Anywhere more user-friendly. I used: http://smbtn.wordpress.com/2009/02/12/installing-a-godaddy-standard-ssl-certificate-on-sbs-2008/ for my first few attempts (installing the intermediate bundle) and when I had issues with this, I eventually used: http://blogs.technet.com/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx I have had several goes at this (using re-keyed certs)always with the same results: 1. The trusted certificate never appears for selection as the preferred certificate in the Certificate Wizard(only self-signed certs are displayed). In the SBS Console, Network/Connectivity/Web Server Certificate is showing the trusted cert from GoDaddy. 2. When I launch Outlook 2007, I get two Security Alerts from the site remote.glidden.net.au. View Certificate shows the name of the trusted cert office.glidden.net.au. This happens on PCs that are not using Outlook Anywhere as well. Otherwise the trusted certificate is functioning: no certificate warning nags in RWW, OWA or Company Website. A clue to all this is that the name of the trusted cert is different to the self-signed one. Also, I run the fix my network wizard it tells me that the trusted certificate has expired and removes it if checked. I am new to and pretty clueless with certs: this is the first time i have tried to install a trusted cert. SBS BPA finds no issues. Can someone please help me to sort this? Driving me bananas. On Tuesday, September 29, 2009 10:46 PM Les Connor [SBS MVP] wrote: Re: Trusted Cert Woes on SBS 2008 Hi Bill, I am assuming you use https://remote.blah.blah/remote or /owa to acces your SBS, but your cert is for office.blah.blah. If you use https://office.blah.blah/remote, your cert matches and you get no warning. I looked at your cert, and it looks fine. -- ----------------------------------------------- Les Connor [SBS MVP] On Tuesday, September 29, 2009 10:48 PM Les Connor [SBS MVP] wrote: ps, you can change remote.blah.blah to office.blah. ps, you can change remote.blah.blah to office.blah.blah in the SBS wizard by selecting the 'advanced' button. 'remote' is the default prefix. -- ----------------------------------------------- Les Connor [SBS MVP] On Tuesday, September 29, 2009 11:14 PM Bill Glidden wrote: Re: Trusted Cert Woes on SBS 2008 Les Connor [SBS MVP] wrote: Hi Les, No. I use either remote or office, and want to use office only, but i get the same result with either. I know there is no error when I use /owa or /remote. I am only seeing the Outlook security warning. On Tuesday, September 29, 2009 11:15 PM Bill Glidden wrote: Re: Trusted Cert Woes on SBS 2008 Les Connor [SBS MVP] wrote: I missed that Advanced button... Will go there and do that. Thanks, Les. On Wednesday, September 30, 2009 12:39 AM Bill Glidden wrote: Re: Trusted Cert Woes on SBS 2008 Les Connor [SBS MVP] wrote: Les, I did that and interestingly, it made one of the Security Alerts go away. Still got one. Will multiple office.glidden.net.au GoDaddy certs be a problem or is only one of these active? On Wednesday, September 30, 2009 1:00 AM Bill Glidden wrote: Re: Trusted Cert Woes on SBS 2008 Les Connor [SBS MVP] wrote: Oh, and Les, I can now see and select the Trusted cert in the Wizard. I can also see the for GoDaddy certs that I installed during the saga. All have type=unknown. AND no more Outlook Security nags. Thanks for helping me sort this and pointing me in the general direction of SBS Console, Advanced Mode! Cheers, Bill On Wednesday, September 30, 2009 10:31 AM Les Connor [SBS MVP] wrote: Good stuff, Bill - glad you got it sorted. Good stuff, Bill - glad you got it sorted. Key is the name in the cert must match the url/site you are accessing. You can get a cert for multiple sites but in this instance you only need -- ----------------------------------------------- Les Connor [SBS MVP] On Wednesday, September 30, 2009 4:40 PM Ace Fekay [MCT] wrote: Re: Trusted Cert Woes on SBS 2008 Les, with an Exchange UC/SAN certificate, you can add those names into one cert. The one certificate will allow multiple names added into the certificate in what is called a subjective alternate names list. Once you have purchased, or have your current certs modified or combined into one certificate by GoDaddy (Exchange can use a single cert with multiple names and they should be able to combine all of them into one for you and pro-rate the price), you can use the Exchange PowerShell Commands to add the services the cert will be used for. Read the following for more info. I also just added a step-by-step in the blog, today, to illustrate how to request and import the new cert, as well as how to enable the use of the cert for other services, such as IIS, SMTP, IMAP, POP, etc. Enabling it for IIS will work for what you want, as long as the names that you need, such as rww.domain.com, office.domain.com, or whatever else you need, is in the certificate subject alternate names list. The manual methods work with SBS 2008, too. Exchange 2007 UC/SAN Certificate http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging Microsoft Certified Trainer For urgent issues, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. On Wednesday, September 30, 2009 4:41 PM Ace Fekay [MCT] wrote: Re: Trusted Cert Woes on SBS 2008 I meant to address my last post to Bill, not Les. Sorry.... On Wednesday, September 30, 2009 5:18 PM Les Connor [SBS MVP] wrote: Good stuff, thanks Ace. Good stuff, thanks Ace. I am the guy that is never used a 3rd party cert, ever, with SBS ;-). Always used the self signed certs, and always able to make them do. Worst case is locked mobile devices, but that is worked around by converting the cert to a ..cab file. -- ----------------------------------------------- Les Connor [SBS MVP] On Wednesday, September 30, 2009 5:18 PM Les Connor [SBS MVP] wrote: no worries, we're all in this together ;-)-- no worries, we are all in this together ;-) -- ----------------------------------------------- Les Connor [SBS MVP] On Thursday, October 01, 2009 12:47 AM Ace Fekay [MCT] wrote: Re: Trusted Cert Woes on SBS 2008 Cool, yes we are! :-) Thanks! On Thursday, October 01, 2009 12:55 AM Ace Fekay [MCT] wrote: Re: Trusted Cert Woes on SBS 2008 For my own Ex2007, I never bought a public cert, but I have not any cases where I would need it. When connecting to OWA, I would just click on the trust this cert message. However, I just replaced my BB with an HTC Touch Pro 2 I picked up last night. Cool phone. Screen's a hair larger than the iPhone, brighter, too! However, it is Windows Mobile. Guess what? Cert issue time! So instead of dealing with the cert, I thought let me just get a single name cert (non UC/SAN) and see if it works. Since I set this domain up back in 1999 when AD first came out, the mindset and consensus was to use your public name, so I never changed that. it is only me and a few people that use the domain. So I figured, what the heck, a single name cert would work internally and externally for mail.mydomain.com, and I have the same record created internally. Well, the thing worked fine with the Windows mobile. It synched up fine. It also works fine for my OWA site, since you can enable that in Exchange to use the cert for other purposes other than just internally, such as for IIS, SMTP, IMAP and POP. However, I know I will have an issue with Outlook Anywhere due to the Autodiscover record, but I don;t use that anyway. If it comes down to it, and I need that function, I will dish out the extra $$ for a UC/SAN cert. And here I am using a single cert for limited capabilities, but I keep pushing to get a UC/SAN cert to my customers. I figured if they ever need the other functionality, I don;t want to deal with installing certs on their mobile units, or some of their remote employees that hardly come into the office and are using Outlook Anywhere. I guess you can call me the landscaper with the tallest lawn on the block! Ace On Thursday, October 01, 2009 9:14 AM Bill Glidden wrote: Re: Trusted Cert Woes on SBS 2008 Ace Fekay [MCT] wrote: Thanks for all the good info, Ace. :) Bill On Thursday, October 01, 2009 4:21 PM Ace Fekay [MCT] wrote: Re: Trusted Cert Woes on SBS 2008 You are welcome! Ace On Thursday, October 01, 2009 5:30 PM Bill Glidden wrote: Re: Trusted Cert Woes on SBS 2008 Ace Fekay [MCT] wrote: Thanks for all the good info, Ace. :) Bill On Friday, October 02, 2009 12:31 AM Les Connor [SBS MVP] wrote: SBS 2k8 deploys the self signed cert onto WM6 automatically. SBS 2k8 deploys the self signed cert onto WM6 automatically. I have an HTC diamond touch, no issues at all. -- ----------------------------------------------- Les Connor [SBS MVP] On Friday, October 02, 2009 12:33 AM Ace Fekay [MCT] wrote: Re: Trusted Cert Woes on SBS 2008 You are welcome! Ace On Friday, October 02, 2009 12:46 AM Ace Fekay [MCT] wrote: Re: Trusted Cert Woes on SBS 2008 That I did not know. Thanks! Ace On Sunday, November 08, 2009 8:25 PM Todd Wagner wrote: Cert Error I am about to lose my sanity over this. I have a UC cert from Go Daddy. I have the subject alternative name listed on the cert for the server name. I have run the certificate wizard to import the go daddy cert and it is trusted. I have run the connect to internet wizard and that is working. My RWW works just fine. I used the install package for connecting the computers to the domain and that went fine. I continue to get the name on the security certificate is invalid. Sites is listed on the nag screen and that resolves back to the server name, which is listed as the subject alternative name. I have been working with Exchange2007 for 3 years now and got through this issue with the SAN cert. I think this may be a Windows 2008 sbs issue. Please help. On Monday, November 09, 2009 8:36 PM Todd Wagner wrote: Continue to get the cert error I went through the installing a godaddy cert and reconfigured outlook to make the cert primary with the 4 services and adjusted my urls within Exchange. When I launch outlook, it still comes up with the error with Sites listed security alert. i also created the split DNS as well. I don't know what to check now. This is getting old. Any further advice, or is a call into microsoft needed? Submitted via EggHeadCafe - Software Developer Portal of Choice HTML Hyperlink Obfuscation with Client Script http://www.eggheadcafe.com/tutorials/aspnet/0c2c6656-9c94-464b-aa93-371cf317efc5/html-hyperlink-obfuscatio.aspx
|
Pages: 1 Prev: Update KB961143 not installing Next: RWW (SBS) with SonicWall: Lan = OK Wan = No Go :( |