Hi All
I recently expanded from a single Exchange 2013 server to a 4-node exchange DAG with Server 2012R2 Exchange 2013. I have a GoDaddy cert installed on all 4 servers for IIS, SMTP etc.
I have noticed that on the 3 new Exchange servers I am getting:
Shannel 36887 - A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 48.
This is re-creatable and every time my cloud mail gateway/filtering service attempts to relay inbound emails to the exchange servers using “Certificate Verification”. The cloud service error is “Peer certificate not verified”. With this verification check turned off the Shannel Error doesn’t happen.
The original server does not have this issue however and I am trying to figure out what the difference is. I have done some research on 36887-48 and can see:
“Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message is always fatal.”
I have compared the Trusted Root Certification Authorities in the mmc console and can see that the working server has 5 GoDaddy CA certs:
GoDaddy Class 2 Certification Authority – Server Authentication
GoDaddy Class 2 Certification Authority - <All>
GoDaddy Root Certificate Authority – G2 – Serve Authentication
GoDaddy Root Certificate Authority – G2 – <All>
GoDaddy Secure Certificate Authority – G2 - <All>
The 3 other servers have just 3, with the below 2 missing:
GoDaddy Class 2 Certification Authority – Server Authentication
GoDaddy Root Certificate Authority – G2 – Serve Authentication
When I imported the certificate into the 3 new exchange servers, I just used the Exchange Admin Centre import GUI – I don’t remember manually installing any intermediate certs. Are those 2 missing CAs what’s causing the issue? What is the best way to import them? Other than this issue, I do not have any other certificate issues that I am aware of
Thanks
I recently expanded from a single Exchange 2013 server to a 4-node exchange DAG with Server 2012R2 Exchange 2013. I have a GoDaddy cert installed on all 4 servers for IIS, SMTP etc.
I have noticed that on the 3 new Exchange servers I am getting:
Shannel 36887 - A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 48.
This is re-creatable and every time my cloud mail gateway/filtering service attempts to relay inbound emails to the exchange servers using “Certificate Verification”. The cloud service error is “Peer certificate not verified”. With this verification check turned off the Shannel Error doesn’t happen.
The original server does not have this issue however and I am trying to figure out what the difference is. I have done some research on 36887-48 and can see:
“Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message is always fatal.”
I have compared the Trusted Root Certification Authorities in the mmc console and can see that the working server has 5 GoDaddy CA certs:
GoDaddy Class 2 Certification Authority – Server Authentication
GoDaddy Class 2 Certification Authority - <All>
GoDaddy Root Certificate Authority – G2 – Serve Authentication
GoDaddy Root Certificate Authority – G2 – <All>
GoDaddy Secure Certificate Authority – G2 - <All>
The 3 other servers have just 3, with the below 2 missing:
GoDaddy Class 2 Certification Authority – Server Authentication
GoDaddy Root Certificate Authority – G2 – Serve Authentication
When I imported the certificate into the 3 new exchange servers, I just used the Exchange Admin Centre import GUI – I don’t remember manually installing any intermediate certs. Are those 2 missing CAs what’s causing the issue? What is the best way to import them? Other than this issue, I do not have any other certificate issues that I am aware of
Thanks