Announcement

Collapse
No announcement yet.

Problems after renewing SSL cert on CAS servers (NLB clustered)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems after renewing SSL cert on CAS servers (NLB clustered)

    Hello Everyone,

    I recently renewed a SSL certificate on an Exchange 07 CAS servers (NLB cluster), however when I run "test-OWAConnectivity" I get an error "WARNING: The test was unable to establish a connection to Outlook Web Access." on ServerA. When I run "test-ActiveSyncConnectivity and test-WebServicesConnectivity", I get failures about remote party has closed the transport stream.

    After exporting the renewed cert from ServerA to ServerB, I ran the same test cmdlets on ServerB, but got "Success" for test-owaconnectivity and got "Count not establish trust relationship for the SSL/TLS sercure channel. The remote certificate is invalid according to the validation procedure" for test-activesyncconnectivity and test-webservicesconnectivity tests commands.

    I've spent 2days trying to troubleshoot this issue on ServerA and ServerB. Strange thing is that users do not have any problem accessing OWA via web or syncing emails to their mobile device.

    I would greatly greatly appreciate if someone could help me in resolving this ongoing issue.

    Please see the attached screenshot of the errors for ServerA (f1) and ServerB (f2).


    Thanks.

    Attached Files
    Last edited by Gujumax; 11th December 2009, 19:21.

  • #2
    Re: Problems after renewing SSL cert on CAS servers (NLB clustered)

    Either a corrupt certificate, you didn't install the root certificates from the certificate provider, or the private key is missing.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Problems after renewing SSL cert on CAS servers (NLB clustered)

      Originally posted by Sembee View Post
      Either a corrupt certificate, you didn't install the root certificates from the certificate provider, or the private key is missing.

      Simon.
      Simon - I've replaced the certificate twice now, thinking it might be corrupted, still didn't work. What you mean by not installing the root certificate from the certificate provider?

      We created a CSR to our certificate provider (Verisign) and they emailed back with CRF which I had copy and pasted in notepad and name it newssl.cer. I imported the new cert in the Exchange Powershell on ServerA (f1) than exported it out with the private key to ServerB (f2). I assigned the following services "IMAP, POP, IIS, SMTP" to the new cert thumbprint on both servers. When I open view the new certificate in IIS, it shows "You have a private key that corresponds to this certificate" on the bottom" so it does have a private key.
      Attached Files

      Comment


      • #4
        Re: Problems after renewing SSL cert on CAS servers (NLB clustered)

        I am pretty sure that I have seen this question on Experts Exchange.
        On there I stated that you need to check whether you have the intermediate and root certificates that Verisign require, as I am pretty sure that they need those installed on the server.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Problems after renewing SSL cert on CAS servers (NLB clustered)

          Simon - It's the same post on Expert Exchange to get more input on this issue. I'm still waiting to hear back from Verisign.

          Comment


          • #6
            Re: Problems after renewing SSL cert on CAS servers (NLB clustered)

            Originally posted by Sembee View Post
            I am pretty sure that I have seen this question on Experts Exchange.
            On there I stated that you need to check whether you have the intermediate and root certificates that Verisign require, as I am pretty sure that they need those installed on the server.

            Simon.
            Here's Verisign support response:

            "There is an Intermediate that is required but it is installed all with the same file you are issued."

            Comment


            • #7
              Re: Problems after renewing SSL cert on CAS servers (NLB clustered)

              Can someone please provide me the process of renewing a SSL cert on CAS NLB cluster servers to ensure I did it correctly (following the articles found on the web) and didn't miss any steps? Thanks.

              Comment

              Working...
              X