none
The remote certificate is invalid according to the validation procedure (SSIS) RRS feed

  • Question

  • Recently our exchange UCC cert expired and apparently you can no longer include subject alternate names that are not validated domains such as domain.local

    As a result all of our clients started recieving certificate warnings. I was able to solve that particular issue by changing the internal server urls to use the domain name listed on the new certificate instead of the local server name.

    However I am now getting the following error in some of my SSIS packages that use a smtp connection manager to send emails through a relay connector in exchange:

    "The remote certificate is invalid according to the validation procedure"

    I can solve the issue by unchecking 'use ssl' but ideally I would like to know why SSIS is suddenly no longer able to use SSL to send mail through smtp relays. THe smtp connection uses the hostname that is listed on the certificate so I dont really understand why it cant validate it anymore. It was working prior to the new certificate.

    Thanks

    Wednesday, December 12, 2012 5:52 PM

Answers

  • If it's invalid, I'd remove it. I've seen some 3rd party tools that freak out when removing a certificate that was invalid tho, because they'd make an exception on expiration date and still wanted to use it.

    If it's not enabled for anything, then there's no need to keep it.

    Disabled tho, it won't ever come into play.


    stefan@xperta

    • Marked as answer by rkbjr Thursday, December 13, 2012 3:38 AM
    Wednesday, December 12, 2012 7:51 PM

All replies

  • Not familiar with SSIS at all so hard to say (minimal experience with SQL).

    You *might* try asking in the SQL forum - and SSIS subforum or whatever forum is most pertinent.

    (It almost sound more like a SSIS question to me).


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, December 12, 2012 6:20 PM
  • I think SSIS is just triggering the error. I believe the underlying issue is the recent changes that were made to the SSL certificate on the Exchange server.

    My gut says its a configuration problem with the SMTP relay connector. Further investigation has yielded the following error on the Exchange server event log:

    There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of Server.Domain.Local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of Server.Domain.Local should be installed on this server as soon as possible.

    As previously stated, UCC certs can no longer contain unverifiable domain names such as Servername.domain.local or Servername. I followed this article to correct cerfiticate errors experienced by outlook clients:

    http://support.microsoft.com/kb/940726

    Wednesday, December 12, 2012 7:25 PM
  • Have you enabled this new certificate for SMTP in Exchange?

    Does the FQDN on the connector match the name on the certificate?


    stefan@xperta

    Wednesday, December 12, 2012 7:37 PM
  • What kind of connector is that?

    A Receive Connector?

    If so, look at the General Tab of the connector (under the connector properties).

    What FQDN do you have for the EHLO/HELO responses?

    If it's still for the .local domain name, perhaps that's the problem (???)


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    Wednesday, December 12, 2012 7:39 PM
  • Stefan and Le Pivert,

    I did enable the SSL for smtp using the exhcange shell.

    It is a receive connector

    The EHLO/HELO response was still set to the internal server name. I've configured it use the domain listed on the SSL but I'm still getting the error. Will I need to restart the transport service possibly?

    Also, I ran Get-exchangecertificates and the invalid certs are still listed. Will these need to be removed?

    Wednesday, December 12, 2012 7:47 PM
  • If it's invalid, I'd remove it. I've seen some 3rd party tools that freak out when removing a certificate that was invalid tho, because they'd make an exception on expiration date and still wanted to use it.

    If it's not enabled for anything, then there's no need to keep it.

    Disabled tho, it won't ever come into play.


    stefan@xperta

    • Marked as answer by rkbjr Thursday, December 13, 2012 3:38 AM
    Wednesday, December 12, 2012 7:51 PM
  • Okay, well first things first. I'll try restarting the transport service and see if the new fqdn on the connector solves my immediate issue. If that fails I'll try disabling/removing the invalid certs. I cant restart until after hours so I'll update you guys as soon as I'm able.
    Wednesday, December 12, 2012 8:06 PM
  • Just changing the FQDN on the receive connectors didn't seem to be enough for me.

    However, removing the invalid self-signed certificates did fix the problem.

    Thanks everyone

    Thursday, December 13, 2012 3:37 AM