Announcement

Collapse
No announcement yet.

No valid SMTP Transport Layer Security (TLS) certificate for the FQDN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • No valid SMTP Transport Layer Security (TLS) certificate for the FQDN

    I get event id 12016 in the app log.
    There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of SERVER.xxx.local
    have renewed the self signed cert using command
    Get-ExchangeCertificate –thumbprint "xxxxx" | New-ExchangeCertificate Have deleted the expired cert.

    we have a valid go daddy cert enabled for imap, iis, pop and smtp

    how can i resolve this error?

    Thanks.

  • #2
    Re: No valid SMTP Transport Layer Security (TLS) certificate for the FQDN

    This is an error people are going to have to get used to.

    At the moment you can get an SSL certificate with both the public and internal name on it, but soon those will not be issued.

    Exchange is looking for a certificate that matches the FQDN on your Receive Connector. However the receive connector should ideally be left at the default of the server's internal name, particularly if you have more than one Exchange server.

    Does the self signed certificate have the FQDN value on it? Have you restarted Transport after reissuing it.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: No valid SMTP Transport Layer Security (TLS) certificate for the FQDN

      Originally posted by Sembee View Post
      This is an error people are going to have to get used to.

      At the moment you can get an SSL certificate with both the public and internal name on it, but soon those will not be issued.



      Simon.
      Could you please explain more -- is this a policy change by certificate issuers as, to date, none have had a problem with any names provided they are validated.
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: No valid SMTP Transport Layer Security (TLS) certificate for the FQDN

        there are 2 receive connectors - default which has the internal name and windows sbs internet receive which has the external go daddy cert name.
        WE have just 1 exchange server.
        The self signed cert I've created does not have the internal name, but the external one remote.xxx.ie.
        Is this why the app log error appears as exchange is looking for a cert with the server.xxx.local name?

        Comment


        • #5
          Re: No valid SMTP Transport Layer Security (TLS) certificate for the FQDN

          Originally posted by Ossian View Post
          Could you please explain more -- is this a policy change by certificate issuers as, to date, none have had a problem with any names provided they are validated.
          November 2014 is the cut off date.

          This is the full version:
          https://www.cabforum.org/Baseline_Requirements_V1.pdf

          Bit more friendly version:
          http://www.digicert.com/internal-names.htm
          http://www.symantec.com/theme.jsp?th...-forum-changes

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: No valid SMTP Transport Layer Security (TLS) certificate for the FQDN

            Originally posted by Josh 2009 View Post
            there are 2 receive connectors - default which has the internal name and windows sbs internet receive which has the external go daddy cert name.
            WE have just 1 exchange server.
            The self signed cert I've created does not have the internal name, but the external one remote.xxx.ie.
            Is this why the app log error appears as exchange is looking for a cert with the server.xxx.local name?
            SBS generates certificates for remote.example.com.
            You would have to create a self signed certificate for host.example.local.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: No valid SMTP Transport Layer Security (TLS) certificate for the FQDN

              can you give me the command to create a self signed certificate for host.example.local?

              do I actually need a self signed cert as the go daddy cert is installed?

              Comment

              Working...
              X