Quick Fix: SBS 2008 ‘Sites’ Self Signed Certificate Expired
December 7, 2011 26 Comments
Please note this article is not for renewing expired certificates used with remote web access!
I had a call today from a partner IT firm who we work with sometimes that had an issue on an SBS 2008 Server. One of the default SSL Certificates had expired, and in turn knocked out Sage 200 that was installed and running on this server. Sage links into the Default website and some of its operations require an SSL certificate. I wont pretend to understand what or why or even how because what i know about Sage can be written on top of a pin head with a power drill.
However, i did manage to help said partner replace his SSL Certificate and make Sage a happy bunny again.
Firstly i found that on my own SBS 2008 server,
the sites Certificate was also Expired.
I tried a few different ways i know to renew the certificate, which all failed. This included using the Certificates MMC for the computer account, using IIS to try to renew the certificate directly, or creating a renewal request and submitting that to the SBS-CA.
Next i decided if i can’t renew, let’s just make a new one.
So on the right hand side of the IIS Server Certificates applet, there is an option to ‘Create a Domain Certificate’
You will need to fill out all of the fields. Note that only the Common Name field is relevant (as far as i can tell anyway) Click Next when done.
On the next page you need to click on Select, and choose the only available Certificate Authority, which should be easily recognisable, given it will be the only one in the list.
Then enter a friendly name. This name is just so you can recognise the certificate in a list of all the other available certificates and is not tied to any value within the SSL at all.
Click on Finish when done.
You will now see your new SSL showing in the list.
(you can see i had a few goes at this to make sure i got it right)
Next we need to change the binding of the site that is using the expired SSL certificate.
Select the website you need to edit, in the case of Sage it is the Default Website.
On the right hand side, click on Bindings.
Under Bindings, select the HTTPS binding, and then use the drop down menu to select an SSL Certificate.
Click on OK to confirm and acknowledge any warning messages you may receive.
(Disclaimer, i cant tell you what the warnings are because i am not running Sage on my server, but rest assured i will not take any responsibility for anything that goes wrong and by reading this disclaimer in your head or out loud you have waived any legal responsibility on my part in perpetuity throughout the universe)
Moving on, you may want to just restart the website..
Your website is now running the new SSL Certificate, and any issues with Sage are now there own fault and you should probably call them.
I hope i am not giving off any Anti Sage vibe…
A while back i found this neat Sage installation guide which gives some good instruction on Installing Sage on an SBS Server. Not sure who the company is hosting the link, but i found it on Google so it’s fair game..
Hope this was useful.
About Robert Pearman
Title (Required) 
You can run the “Repair my network” wizard in the SBS console. This wizard will create a new certificate completely automatically.
In this instance the Sites certificate is not identified as expired, or repairable via the Fix My Network wizard. The FMNW will only attempt to repair the Certificate identified as bound to your Remote.Domain.Com website.
Nice. This totally worked. Way easier. +1 Internets to you, sir.
Not sure where i can trad “+1 Internets” for goods & services, but thanks all the same, you Sir are quite welcome!
If you renew the self-signed certificate via the Fix My Network wizard, will the current certificate that users have on their remote devices stop working, and they will need a copy of the newly created cert?
I dont recall exactly if the FMN will renew or create a new cert. So assuming it renews, then it will be ok. If it creates a new one then it depends how you deployed the certificate.
If you deployed the CA root certificate to the clients, then no, you will not have to redeploy anything.
If you just deployed the remote.site.com certificate chances are you will need to redeploy.
I would also say this article is not for that issue.
Robert,
I have a remote.domain.com self signed certificate that expired.
How do I renew that if it can be or how do i create a new one.
Also, can I disable the prompt on the local desktop, it annoying to the users?
http://titlerequired.com/2013/02/06/manually-creating-a-certificate-request-windows-server-essentials-sbs/
Try this one.
Apologies for posting in the incorrect place.
No problem just letting you know in case you meant to follow the steps.
Our sites certificate expired on our SBS 2008 server. We were getting errors in remote web workplace and it would ask you to log in to web access and not remember your credentials. Also we had some emails bounce. I followed this wizard and now remote web workplace goes through to Webmail fine, but it now says the cert is not trusted and also there is a mismatch on the name?
Any ideas what would cause these two issues and how to solve them? Many thanks, Mike
You may have followed these instructions for the wrong SSL. This was a specefic issue affecting the certificate named ‘Sites’ This certificate is not for use with Remote Access.
Can you tell me your public address and i will see what i can find out.
Hi Robert, I set my common name as webmail.company.co.uk instead of sites and now we can log in to RWW and then go into OWA fine. We now have another issue where I have added the certificate to trusted root certification authorities but it doesnt appear on any client machines – do i need to create a GPO for this?
Also we have laptops on workgroups in France who now cannot access webmail as it comes up with the security warning, but when you click on “continue(not recommended) nothing happens. Even after clearing temp internet files etc. It just doesnt error or proceed.
Im thinking I may need to open an exchange 2007 cmdlet window and bind smtp / pop etc to the cert? Any ideas?
Yes it sounds like you have made a mistake!
As i said, the article you read is not for this scenario.
My advice would be to purchase an SSL Certificate, these are relatively cheap and easy to install – this would solve all of your problems.
If you want to continue using a Self Signed Certificate, you should start by putting the original expired cert back in IIS, then run the Fix My Network wizard. This should renew the certificate.
If you then want to deploy that cert out, use the Certificate Installation Package, or yes, create a new GPO.
But really, you should just purchase an SSL Cert as it is the best way!
Hi Robert,
I’m having a similar problem to Mike. One of my SSB 2008 customer server asked for certifacte renewal. After I tried the Fix my network inside the network Outlook works OK, but the clients on teh outside can’t access the remote site (https://remote.mycompany.com/remote). What I noticed is if I have the certificate installed on the cliente machine whenever I try the site it seems it dosent find the site, but if I remove the certificate I can access the site with the expected certificate error and if I want to proceed, which if I choose so I can access the site and webmail.
I tried to change the binding in IIS on the SBS Web Applications to another certifacte (I have 4 remote.mycompanyweb.com now), and after that running the Fim my network. After installed the new certificate on the client (copying the Certificate Installation Package) everything is the same, can’t access the Remote webpage.
Of course the clients computers outside the network can’t use the Outlook.
I don’t know what else to do, if you could give me some ideas I appreciate.
I would stop using self signed certificates, and use a purchased one. Its certainly going to give you a better result.
Aside from that..
Is the CA Root certificate installed on all clients? External and internal?
Make sure the certificate installed to IIS is date valid.
If the CA root is trusted and the certificate is in date, and matches the name, then it should work fine.
But for about $30 you can get a godaddy cert installed in less time than it will take to repair the self signed ones :)
I don’t think the problem is directly related with the certificate, since it’s date is valid and installed on IIS. Yes, is installed both internal and external. On the server itself I can open the RWW page and the certificate is valid. My only problem is with outside clients. If I install teh certificate I can’t access the RWW page, IE says it can’t find it. If I remove the certifcate from the client, IE can open the page. My customer had a previous IT company that made something wrong to renew the certifcate that I can’t understand, and is causing this mess…
I have seen more or less that exact behaviour on sbs2011, caused by self signed cert. So I would suggest it is most likely to be a cert issue rather than IIS.
You should confirm that the cert is trusted on the external clients via the certificates mmc.
http://titlerequired.com/2011/05/17/quick-fix-internet-explorer-cannot-display-the-webpage-sbs-2011-rww-2/
I finally solved the problem, and yes, it have tod do with the certificate. Here is what I did:
1. Removed the “Certificate Distribution Package” folder and the “Install Certificate Package.zip” from the \Public\Downloads folder.
2. Ran the “Setup Your Internet Address” wizard from the Windows SBS Console.
3. Ran the “Fix My Network” wizard from the Network Tab of Windows SBS Console. (The wizard informed me that the SSL Cert Package was missing and created a new one).
4. Ran the install package on the client.
From the external client I can now open the RWW page with IE, and I can open Outlook. But, in Outlook I get an Security alert window for autodiscover.mycompany.com, then says the certificate was emitied for a company that I choose not to trust, the date is valid and the name for the certificate is invalid or don’t match the name of the site (sorry for the transaltion but my operating system is portuguese). When I press the view certificate button I find out somethin strange: Issued to: web3.host-services.com | Issued by: http://www.psoft.net. Beside this the Outlook works receiving and sending e-mail. But why those Issued to and by??
Cool!
As for autodiscover..
Your domain has a default catch all dns record setup (common)
You will find that belongs to your domain hoster or web hosting company.
You need to get that removed and then set up an SRV record for autodiscover.
Thanks. This worked for me.
Well… I have to contact the guys who manage the customer domain. What should I ask them to do on the domain? (sorry, newbie on this stuff). I don’t need the autodiscover since I setup each outllok manually.
Well outlook will always try to use auto-discover wether you want it or not.
You need to make sure that no dns query can resolve to a name that is no explicitly defined.
You need to setup an autodiscover SRV record that points to your servers public ip.
Everything is OK now. I talked with the guys who manage the domain anda they messed up. They had remote.company.com pointing to the web site IP instead of the server. Since I’m using a no-ip address on the server, I asked them to create a CNAME record for remote pointing to my ddns no-ip. That solved the problem along side with the SRV record. No more problems with Outlook and certificates, and now I can even user the autodiscover feature which is great for new external users. Thanks so much for your help and time, Robert.
Great news!