locked
SFB Server 2015 Certificate problems RRS feed

  • Question

  • Hello everyone,

    I have a question and I cant find anserw for it anywhere...

    I cant sign in SFB 2015 server (version 6.0.9319.259 for both app and edge server) from outside organization network (Certificate error) and connectivity testing analyzer show this error:

    Testing remote connectivity for user myemail@contoso.com to the Microsoft Lync server.
    Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
    Additional Details
    Elapsed Time: 580 ms.
    Test Steps
    Attempting to resolve the host name externalsip.comodo.com in DNS.
    The host name resolved successfully.
    Additional Details
    IP addresses returned: NAT address
    Elapsed Time: 73 ms.
    Testing TCP port 443 on host externalsip.comodo.com to ensure it's listening and open.
    The port was opened successfully.
    Additional Details
    Elapsed Time: 154 ms.
    Testing the SSL certificate to make sure it's valid.
    The SSL certificate failed one or more certificate validation checks.
    Additional Details
    Elapsed Time: 298 ms.
    Test Steps
    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server externalsip.comodo.com on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
    Additional Details
    Remote Certificate Subject: CN=internaledgeservername.comodo.com, O=ORG, L=City, C=Country, Issuer: CN=LOCALCA, DC=ORGNAME, DC=com.
    Elapsed Time: 252 ms.
    Validating the certificate name.
    The certificate name was validated successfully.
    Additional Details
    Host name externalsip.comodo.com was found in the Certificate Subject Alternative Name entry.
    Elapsed Time: 0 ms.
    Certificate trust is being validated.
    Certificate trust validation failed.
    Test Steps
    The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=internaledgeservername.comodo.com, O=ORG, L=CITY, C=Country.
    A certificate chain couldn't be constructed for the certificate.
    Additional Details
    The certificate chain couldn't be built. You may be missing required intermediate certificates.
    Elapsed Time: 20 ms.

    Maybe somebody has some troubleshooting tips, what could be missing, what I have to do with those certificates, where can I get them? External cert is from External CA and internal cert is from AD CA. I tried adding root certificates in root and intermediate certificate stores, I tried adding External cert CA provided Trust certs and SIP cert in those cert stores on both servers, recreated internal certificate using CA, but nothing seems to work and help in this situation...

    If you need any more info, I can try providing it from logs and etc.

    I would appreciate help regarding this problem and how to solve it.

    Rihards


    Tuesday, October 4, 2016 6:12 AM

Answers

  • The remote connectivity analyzer will not get the internally published certificate, only the certificate published to the external interface.

    Remote Certificate Subject: CN=internaledgeservername.comodo.com, O=ORG, L=City, C=Country, Issuer: CN=LOCALCA, DC=ORGNAME, DC=com.

    Shows a connection to externalsip.comodo.com, is verified by certificate with CN=internaledgeservername.comodo.com issued by LOCALCA... I would expect this certificate on your Access Edge IF to be issued by your LOCALCA issuer.


    Kenneth ML || Please remember, if you see a post that helped you please click Vote on the left side of the response, and if it answered your question please click Mark As Answer.

    Tuesday, October 4, 2016 12:17 PM

All replies

  • The certificate you are using on the externalsip.comodo.com interface is issued by your LOCALCA. Unless you modified the log too much, this could indicate you have assigned the wrong certificate to the external service.

    On the Edge server you must have a publibly signed certificate on the external interfaces and you may have an internally or publicly signed certificate on the internal interface.


    Kenneth ML || Please remember, if you see a post that helped you please click Vote on the left side of the response, and if it answered your question please click Mark As Answer.

    Tuesday, October 4, 2016 10:40 AM
  • Thank you for your reply,

    But this is one of the problems, Connectivity analyzer is trying to build a certificate chain using internal certificate, but it finds externally generated certificate on 443 port... But all my certificates are setup correctly, external interface has certificate from external CA (Comodo) and internal certificate is generated from internal CA. Application server certificates are also generated from internal CA and everything looks correct... Maybe I am missing something, some certificate or maybe its mistake in DNS or in ports? Maybe there is some way how I can test this with some testing tool or something? I double checked certificate chains and everything is okay with internal and external certificates.

    Rihards

    Tuesday, October 4, 2016 11:13 AM
  • The remote connectivity analyzer will not get the internally published certificate, only the certificate published to the external interface.

    Remote Certificate Subject: CN=internaledgeservername.comodo.com, O=ORG, L=City, C=Country, Issuer: CN=LOCALCA, DC=ORGNAME, DC=com.

    Shows a connection to externalsip.comodo.com, is verified by certificate with CN=internaledgeservername.comodo.com issued by LOCALCA... I would expect this certificate on your Access Edge IF to be issued by your LOCALCA issuer.


    Kenneth ML || Please remember, if you see a post that helped you please click Vote on the left side of the response, and if it answered your question please click Mark As Answer.

    Tuesday, October 4, 2016 12:17 PM
  • As strange as it is, your explanation gave me an idea, and I tested all DNS records and it seems that one of the was missing/entered wrong... Will keep on testing. For now, thank you for your help!

    Rihards

    Wednesday, October 5, 2016 8:13 AM
  • Did you find a solution?. I have the same issue where the internal cert is being offered externally. It's probably because we are not using a reverse proxy but we should be able to get it to work.
    Friday, February 14, 2020 1:50 PM