New Certificate?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I apologize for I am a noob and have never dealt with this before. Basically we have 2010 exchange here at Campbell Business Machines which is a Mom and Pop computer shop. I need to figure out how to get a new cert so we stop getting cert errors when we access our emails… also maybe Google will stop throwing us in the spam folder?

My domain is: cbm-computers.com

I ran this command: I asked for a CSR through Exchange 2010?

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): MS Server 2012 R2 Datacenter

My hosting provider, if applicable, is: Us

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Using MS Server 2012 R2 Datacenter. We are hosting a website but I don’t need to deal with that at the moment.


#2

Hi @ThadClaflin,

It looks like you have several certificates

https://crt.sh/?Identity=%cbm-computers.com&iCAID=16418

and some of them are still current—is it possible that you have someone else taking care of this but that person (or piece of software) has neglected to update your Exchange configuration with the new certificate? It seems that there is someone or something renewing your certificate but perhaps not then installing/binding the new certificate in your server software.

Let’s Encrypt certificates are only valid for 30 days and our intended deployment model is for users to automate the renewal process via scripting or or software integration. There are sites like https://zerossl.com/ that can let you use a CSR to request a Let’s Encrypt certificate (replicating the experience of a traditional paid CA), but we don’t consider this a very desirable solution for most users because it requires repeated manual efforts. For many users it would be better to switch their hosting arrangements to use a host that integrates Let’s Encrypt automatically, or use a paid CA (which can issue a certificate valid for up to 2 years), if they can’t arrange for automated certificate renewals on their own.

Do you think you could figure out who or what is getting the existing certificates for your domain, and whether one of them would work if it could be installed in Exchange?


#3

I don’t think that they currently use mail server certificate validity as a strong signal in spam filtering, because a very high number of mail servers don’t have publicly-trusted valid certificates right now (since it was traditionally not enforced by server-to-server e-mail delivery, most administrators never set it up!). So my impression is that this part might be unrelated.


#4

We had a network guy handling it but he has since quit.

I think you are spot on as far as everything is concerned and thanks so much for the quick response and information. Now based on your questions I am going to try and find some more information and see if I can get this sorted. You were extremely helpful by the way so thank you for taking the time to respond. Have a great day and if the mods wish to close this that would be just fine as I don’t think I will have another chance to check this out till after the Holiday’s.

P.S.
I hope to be back with answers after I figure this all out, thanks for sending me in the right direction.


#5

Try checking your IP at: valli.org
and see: https://mxtoolbox.com/SuperTool.aspx?action=smtp%3Acbm-computers.com&run=toolpage


#6

This should read 90 days.


#7

Whoops, that’s absolutely correct! I was thinking about the renewal window as opposed to the expiry time there. Thanks for the correction.


#8

90 days for now…
LOL