Hi. My name is Patrick. I have two domains that I am having the same issue with. Those domains are remote.caseylawgroup.com, and autodiscover.caseylawgroup.com.
The issue is that according to my EAC (Exchange Administrative Center), each of the above certificates expire on 5/6/2022. However, "outside device" e.g. my iphone, are being told that the certificate for remote.caseylawgroup.com expired on 11/17/2021. I have no idea where this information is being drawn from or how to fix it.
Is anyone willing to help?
Hi Patrick (@Pbcaseyjdcpa) and welcome to the LE community forum
crt.sh | remote.caseylawgroup.com
A certificate can be used by any service that resides within an IP that can be resolved by any of the names within the certs SAN field.
In the simplest case, where there is only one name and that name only points to one single IP, we still have the case of multiple services within said IP to use any available cert for its' name.
So... the same system can be using one cert for HTTP(S), another cert for SMTP, and another cert for streaming services. Yes, they could all be using the same cert - but there is no guarantee of that nor any requirement for that to happen.
So.... it is quite possible that both statements are true. It just depends which service you check for cert expiry.
That said (and I realize it was a mouthful), you will need to check each service individually to ensure they have all been "renewed" (using a non-expired cert).
And, if not, then you must dig into their configs to update the certificate being used to one that hasn't expired OR renew the expired one [a system can have more than one valid cert for that single name at a time].
I can confirm that your certificates bound to IIS for these services has expired. Your certificate shown in EAC is most likely something that's self-signed (a Let's Encrypt certificate only last for 90 days, so you are looking at something else).
How did you acquire your Let's Encrypt certificate and how did you apply it? You need to get a fresh certificate and deploy it to exchange (and IIS for the these services). You can use a script or you can do it manually, but automating is better.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.