Expired cert and Office 365


#1

My domain is: dlfoundry.com

We had an SSL certificate from Let’s Encrypt Authority x3 from September to December this year. It is now expired, and a security alert is popping up in some of our user’s Outlook applications telling them that the certificate has expired. This certificate was not associated with our website. None of our staff remembers signing up for this certificate. But now that it’s expired, some of our users are not able to use their email properly.

How do I get a new certificate to use with Office 365 to bring operations back to normal?

I will try to provide any additional information you ask for.

Thank you,

Daniel


#2

Hi,

Are you using Hosted Office 365 (By Microsoft?)?
Or Your Office 365 are hosted by an IIS server which allow you to install certificate by yourself?

Thank you


#3

How did you get, and apply, the cert in September?

Then WHO did?
And HOW?


#4

rg305 - I wish I knew the answers to your questions. None of our staff knows how we got the certificate or how it was installed, or who did it. We just know that the certificate expired and now we’re left in this awkward situation. But to make things even more strange, we’ve used this domain for our email for at least a year so I would assume we’ve had some sort of ssl certificate the whole time… but again, nobody knows who set it up or how.

stevenzhu - Hosted by Microsoft.


#5

You have not had a cert for that name the whole time.
There has only been one cert issued to that name:
https://crt.sh/?q=dlfoundry.com
or to anything ending with that name:
https://crt.sh/?q=%.dlfoundry.com

Who made changes to your system on September 10th?

Assuming “that person” is no longer “available” to assist you…
You need to figure out where the cert is being used. and maybe how it was inserted.
So you can just repeat the previous method (that worked).
If you can’t figure out how, you can just use any method that you are “comfortable with” (from the available ACME clients - for Windows [I presume]).


#6

Hi,

What server have your email clients setup to connect to? (POP / IMAP / SMTP server name)

It seems that your O365 is hosted on Microsoft, and clients should use smtp.office365.com, outlook.office365.com to connect to those mail servers.

Thank you


#7

Hi @DanielTalbot

there is an Server: Apache/2.2.34 used with http.

And a Server: nginx/1.2.1 used with https.

None? Perhaps ask your hoster. Or your webserver is hacked.


#8

The OP is trying to renew his company’s email server certificate… Not website certificate.


#9

Yes, probably an on prem Windows 2008 with Exchange 2013 (or close to that).


#10

Well, The weird part is the OP seems to be using Office 365 (Cloud Plan) (Indicated by the MX records), which he should connect directly to office365 servers…


#11

There is the expired certificate:

|CN=dlfoundry.com |10.09.2018|09.12.2018 expired|dlfoundry.com - 1 e| | — | — |

There are sometimes mail clients who tries to connect the domain to find a mail server.

Perhaps they don’t use an own MX query or the defined MX

dlfoundry-com.mail.protection.outlook.com

doesn’t answer.


#12

Is there a way for me to renew or get a new ssl certificate issued?


#13

Check this server

https://dlfoundry.com/
205.186.187.156 200 5.633 N
Certificate error: RemoteCertificateChainErrors
Server: nginx/1.2.1
Date: Wed, 12 Dec 2018 17:28:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.6.21
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Link: <https://dlfoundry.com/wp-json/>; rel="https://api.w.org/", <https://dlfoundry.com/>; rel=shortlink
Set-Cookie: PHPSESSID=ea1e3f93d402590e1b732415d82d6a4a; Path=/; Domain=dlfoundry.com
Vary: User-Agent,Accept-Encoding

if there is a cPanel, Plesk or an installed ACME-client like Certbot.

Your http and https version have both the same content. But it’s curious, one is Apache, one nginx. Perhaps one acts a proxy.


#14

Okay.

What domain / hostname are you trying to renew the certificate?

And what domain / hostname are email clients connected to?

Thank you


#15

Trying to renew dlfoundry.com
That is the domain that our email users are connected to.


#16

That make sense, so it’s not about office 365 at all.

The IP PTR in your domain indicate that you are using MediaTemple’s server to host your website.

What hosting plan are you on? Do you have shell access? And, more importantly, do you have access to MediaTemple’s dashboard?

Thank you


#17

Our web host is Amazon AWS. I do not have shell access.


#18

I do have access to the AWS dashboard though


#19

You’ll need command line access to renew that certificate (or to install certificate onto the web server) And I don’t think it’s on AWS though…

Thank you


#20

I’m agreeing with @stevenzhu; This cert problem is most likely NOT in AWS.
I would start with a client that has the problem and see where their email client is configured to connect.