From: Rich Matheisen [MVP] on 21 Jun 2010 21:27 On Mon, 21 Jun 2010 07:03:48 -0700 (PDT), Mikey <texan767(a)hotmail.com> wrote: [ snip ] >ExRCA is testing the SSL certificate to make sure it's valid. > The SSL certificate failed one or more certificate validation checks. > Test Steps > The certificate name is being validated. > Certificate name validation failed. > Tell me more about this issue and how to resolve it > Additional Details > Host name mydomain.com does not match any name found on the server >certificate CN=www.stratocentric.com, OU=Domain Control Validated, >O=www.stratocentric.com Is that the *REAL* name? www.stratocentric.com If it is, the certificate installed on that site has been revoked. The warning also states that none of the names in the certificate match the name you used to get to the server. If it's not the real name then you're doing yourself no favors by not disclosing the real name. Obfuscate the name if you like (e.g. "host" <dot> domain d-o-t com") -- humans are pretty good at recognizing the stuff that should be removed or replaced. [ snip ] > Certificate is valid: NotBefore = 6/15/2010 1:24:15 PM, NotAfter = >8/6/2010 3:30:03 PM" That's a pretty narrow date range for a commercial certificate! Are you sure you've installed the certificate correctly? Have you activated the certificate for the correct uses? --- Rich Matheisen MCSE+I, Exchange MVP
From: Rich Matheisen [MVP] on 21 Jun 2010 21:40 On Mon, 21 Jun 2010 14:14:40 -0700 (PDT), Mikey <texan767(a)hotmail.com> wrote: [ snip ] >Installed certificate & still having problems... >I am once again getting warnings when using OWA, too. .. . . and that warning is? >When I ran the wizard, it put in the name remote.mydomain.com by >default, I guess, even though the machine is named >exchange.mydomain.com. >According to someone's blog out there, I was also to include the >following names on the certificate; >autodiscover.mydomain.com >exchange.mydomain.local >exchange >sites >Is this right? You'll want the names in the certificate that you'll use to access the resources you're offering: Owa-host.externaldomainname.com AutoDiscover.externaldomainname.com server.internaldomainname.local You may want to add to that list: mail-server.externaldomainname.com mail-server.internaldomainname.local GoDaddy might be lenient enough to all you to use names without them being fully qualified. but other CAs probably won't. It'd be a good idea to have the name by which you access the resources from inside you LAN be the same as the names you use from outside. Publish the names and the LAN IP addresses you internal DNS and the names and external IP address in your external DNS. There's no confusion among the users as to what name should be used because they're the same everywhere. >I also have an SRV record in my public DNS records, but exchange test >website is still reporting errors, as well. >Needless to say, remote outlook clients aren't connecting, either. >I am really starting to regret moving from my good ol' reliable 2003 >SBS.... If you're having a problem getting the CSR generated for submission to the CA, try using DigiCert's tool for that: https://www.digicert.com/easy-csr/exchange2007.htm --- Rich Matheisen MCSE+I, Exchange MVP
From: Cliff Galiher - MVP on 21 Jun 2010 22:12 Alright, just to get everybody back on the same page, I received a private email from "Mikey"with the results of his log. HE was concerned about publishing the information publicly, so it isn't my place to supercede that decision. With that said, what I *can* share is that there AutoDiscover is configured to work using the SRV record method and the domain name the SRV record returns does not match the domain name on the certificate. So the fix here is to update DNS and have the SRV record point to remote.<domain-name> That should resolve the issue. -- Cliff Galiher Microsoft has opened the Small Business Server forum on Technet! Check it out! http://social.technet.microsoft.com/Forums/en-us/smallbusinessserver/threads Addicted to newsgroups? Read about the NNTP Bridge for MS Forums.
From: Mikey on 21 Jun 2010 22:26 On Jun 21, 8:40 pm, "Rich Matheisen [MVP]" <richn...(a)rmcons.com.NOSPAM.COM> wrote: > On Mon, 21 Jun 2010 14:14:40 -0700 (PDT), Mikey <texan...(a)hotmail.com> > wrote: > > [ snip ] > > >Installed certificate & still having problems... > >I am once again getting warnings when using OWA, too. > > . . . and that warning is? > > >When I ran the wizard, it put in the name remote.mydomain.com by > >default, I guess, even though the machine is named > >exchange.mydomain.com. > >According to someone's blog out there, I was also to include the > >following names on the certificate; > >autodiscover.mydomain.com > >exchange.mydomain.local > >exchange > >sites > >Is this right? > > You'll want the names in the certificate that you'll use to access the > resources you're offering: > > Owa-host.externaldomainname.com > AutoDiscover.externaldomainname.com > server.internaldomainname.local > > You may want to add to that list: > mail-server.externaldomainname.com > mail-server.internaldomainname.local > > GoDaddy might be lenient enough to all you to use names without them > being fully qualified. but other CAs probably won't. It'd be a good > idea to have the name by which you access the resources from inside > you LAN be the same as the names you use from outside. Publish the > names and the LAN IP addresses you internal DNS and the names and > external IP address in your external DNS. There's no confusion among > the users as to what name should be used because they're the same > everywhere. > > >I also have an SRV record in my public DNS records, but exchange test > >website is still reporting errors, as well. > >Needless to say, remote outlook clients aren't connecting, either. > >I am really starting to regret moving from my good ol' reliable 2003 > >SBS.... > > If you're having a problem getting the CSR generated for submission to > the CA, try using DigiCert's tool for that: > > https://www.digicert.com/easy-csr/exchange2007.htm > --- > Rich Matheisen > MCSE+I, Exchange MVP I tried & am getting a message that either I can't over write the file (there's nothing there with that currect name!) or I don't have sufficient privelages! Is an administrator acount not what it used to be?
From: Mikey on 21 Jun 2010 22:28
On Jun 21, 9:26 pm, Mikey <texan...(a)hotmail.com> wrote: > On Jun 21, 8:40 pm, "Rich Matheisen [MVP]" > > > > > > <richn...(a)rmcons.com.NOSPAM.COM> wrote: > > On Mon, 21 Jun 2010 14:14:40 -0700 (PDT), Mikey <texan...(a)hotmail.com> > > wrote: > > > [ snip ] > > > >Installed certificate & still having problems... > > >I am once again getting warnings when using OWA, too. > > > . . . and that warning is? > > > >When I ran the wizard, it put in the name remote.mydomain.com by > > >default, I guess, even though the machine is named > > >exchange.mydomain.com. > > >According to someone's blog out there, I was also to include the > > >following names on the certificate; > > >autodiscover.mydomain.com > > >exchange.mydomain.local > > >exchange > > >sites > > >Is this right? > > > You'll want the names in the certificate that you'll use to access the > > resources you're offering: > > > Owa-host.externaldomainname.com > > AutoDiscover.externaldomainname.com > > server.internaldomainname.local > > > You may want to add to that list: > > mail-server.externaldomainname.com > > mail-server.internaldomainname.local > > > GoDaddy might be lenient enough to all you to use names without them > > being fully qualified. but other CAs probably won't. It'd be a good > > idea to have the name by which you access the resources from inside > > you LAN be the same as the names you use from outside. Publish the > > names and the LAN IP addresses you internal DNS and the names and > > external IP address in your external DNS. There's no confusion among > > the users as to what name should be used because they're the same > > everywhere. > > > >I also have an SRV record in my public DNS records, but exchange test > > >website is still reporting errors, as well. > > >Needless to say, remote outlook clients aren't connecting, either. > > >I am really starting to regret moving from my good ol' reliable 2003 > > >SBS.... > > > If you're having a problem getting the CSR generated for submission to > > the CA, try using DigiCert's tool for that: > > >https://www.digicert.com/easy-csr/exchange2007.htm > > --- > > Rich Matheisen > > MCSE+I, Exchange MVP > > I tried & am getting a message that either I can't over write the file > (there's nothing there with that currect name!) or I don't have > sufficient privelages! > Is an administrator acount not what it used to be?- Hide quoted text - > > - Show quoted text - D'OH! Forgot 'run as administrator'! |