none
Essentials 2016 adding a new SSL certificate every 1-2 days

    Question

  • I installed Server 2016 Standard with the Essentials role about a month ago. I set up mydomain.remotewebaccess.com in the Anywhere Access Wizard. It automatically revoked a certificate with the same name issued to my previous 2012 R2 Essentials server.

    Now I see that it is installing a new certificate every one or two days. I'm up to 21 certificates in about 32 days:

    When I browse to the remote site in Firefox, I can see that IIS is using the most recent certificate, issued two days ago. However in IIS > Server Certificates, I see that "Enable Automatic Rebind of Renewed Certificates" has not been activated.

    What is causing the frequent re-issue of certificates and how can we stop it?

    Thanks,

    Mark Berry
    MCB Systems

    Tuesday, August 29, 2017 9:21 PM

Answers

  • @larsa001,

    As I understand it, when deciding every two days whether to request a new certificate, the server looks in the certificate store for an existing certificate named xxxx.remotewebaccess.com. Somehow the presence of the extra SAN starting with www. causes this search to fail, so, thinking no certificate is present, the server requests a new certificate.

    What is not clear is whether this is an issue in the server or at Go Daddy:

    - I haven't examined the Certificate Signing Request (CSR), but support tells me that it does not specify a SAN. Maybe if the server explicitly requested only one SAN, it would not get the extra one.

    - Or maybe Microsoft could just ask Go Daddy to skip adding the "free' www. prefix to certs for the remotewebaccess.com domain.

    Regardless, the server logic should be corrected so that it inspects all SANs when searching for an expected certificate. Then it would not matter if Go Daddy added the www.

    The only workaround suggested was to go back to the issuing self-signed certs. I will pay for a cert before I do that.

    • Marked as answer by mcbsys Saturday, November 4, 2017 9:00 PM
    Tuesday, October 31, 2017 10:35 PM

All replies

  • Mine looks even worse. If this has anything to do with the VPN connectivity issue, I would love for it to be solved.
    Wednesday, August 30, 2017 2:21 AM
  • Hi,

    According to your description, my understanding is that RWA certificates are issued so frequently that there are too many certificates on IIS. 

    Please try below operation and check the result:
    1. Disable RWA using Anywhere Access Configuration Wizard.
    2. Open IIS – Server Certificate, manually delete all certificates which are issued by Go Daddy, and re-start IIS.
    3. Re-start the system and re-enable RWA using Anywhere Access Configuration Wizard.
    4. Wait for a period of time to confirm the Certificate change on IIS.

    If possible, please provide screenshot of certificate status/increase on IIS. Also, please make sure that your server is fully patched. 

    I will build a Essentials Server in my test environment to have a confirmation. If you have any updates during this process, please feel free to let me know.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 30, 2017 3:12 AM
    Moderator
  • Thank you for your suggestion. I have followed the above steps and will report back in a few days with the results.
    Wednesday, August 30, 2017 10:51 PM
  • Hi Eve,

    Here is a screen shot of IIS Server Certificates before deleting the certificates:

    I followed your instructions to disable RWA (also VPN), delete the Go Daddy certs, reboot, then re-enable RWA and VPN. I told it that I already had a certificate, but do I? This failed with this error:

    I clicked "I want to skip the listed issues for now and run the wizard again later." After this, Anywhere Access says it is ON:

    If I click to configure Anywhere Access, it already shows my domain name (although I did not enter this in the wizard):

    However at this point, both the Certificate Manager and IIS show that there is NO GoDaddy certificate.

    I tried to Repair Anywhere Access. Same error and still no certs installed.

    Next I went back and told it that I wanted to set up a cert. After logging in with my Microsoft ID, I told it that I want to use the registered domain name:

    This immediately installed TWO Go Daddy certs with different expiration dates, seen here in IIS:

    The domain add wizard said that I needed to run Anywhere Access Repair, which I did. This time it failed with a different error:

    And in fact, I can no longer reach the server using the mycompany.remotewebaccess.com address. How do I force that Dynamic DNS synchronization to occur? After awhile, this fixed itself, but I would still like to know how to force a dynamic DNS update.

    The wizard lost the configuration of the static address pool for the VPN, so I reset it using PowerShell as explained in this article:

    https://www.mcbsys.com/blog/2017/08/set-a-static-ip-address-pool-for-your-2016-vpn/

    Mark Berry
    MCB Systems


    • Edited by mcbsys Wednesday, August 30, 2017 11:56 PM
    Wednesday, August 30, 2017 11:54 PM
  • Hi there,

    I'm not systems engineer at all but we have been suffering the same problem: the certificate related to 'Everywhere access' is generated every 1,5 days aprox.

    Indeed this is preventing the correct functioning of remote web access, like the access to remote app through "companyname.remotewebaccess.com". Hardly to see, because it actually works when is set up (an external computer can access the VPN and app) but stop works around 1,5 day later (the external computer cannot access anymore). The most confusing point is that every time that I have restarted the service it does work again, for another 1,5 days.

    The event log seems is not that helpful since reports many logs that are not related at all with this issue and might confuse you and drive through unuseful solutions.

    I checked things like the SSL and TLS, policies, lack of permissions for some files that are reported as error in the server manager, install and different settings with the gateway role, problems with selfsigned certificates, etc.

    Same as Mark Berry, new certificates of Go Daddy do appear, seems that from the Remote Web Access service. After check many logs and try many solutions I begin to lean that this continuosly generating of certificates can be behind this. But not sure why just restarting the server it get fix.

    So I have been looking in the ISS manager by some item related to a disconnection or change every determinate time.

    In the 'Group of applications' list, there two as 'CertWebService_App' and 'RemoteAppPool' that in the settings, 'recycle' section, have set:

    - Disallow rotation on config change: False

    - Disallow over lapping rotation: False

    - Time: 1740 minutes

    1740 minutes is 29 hours which does match pretty accurate with the loop of the issue.

    So from the ignorance, actually seems this is the thing which is creating new certificates.

    Still so, I'm not sure if I should just erase this recycling time or try first with 'Disallow over lapping rotation' as True, since says it replace the existing process and might prevent to create new certificates but replace the previous one. I don't know.

    From now I have deleted all the Remote Access Desktop to start again with it from clean. Now is only one certificate related this remote web access and the plan is I will wait for those 1740 minutes to check if this fails again, and in that case, change the configuration mentioned above for "Disallow over lapping rotation' first, check again 1740 minutes, and if remains, then delete the time for recycling.

    As said, I'm not systems engineer and I could be completely wrong.

    Kind regards,


    Thursday, August 31, 2017 9:46 AM
  • Hi,

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible.

    If you have any updates during this process, please feel free to let me know.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 31, 2017 9:55 AM
    Moderator
  • Update:

    Yesterday's certificates were issued at 4:20pm. Today, I got a third cert, also at 4:20pm, exactly 24 hours later.

    I see in the Application event log that there are several ESENT errors today at 4:20pm:

    ESENT 490 (7 times): svchost (19680) An attempt to open the file "C:\Windows\system32\LogFiles\Sum\Api.chk" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).

    Sometimes ESENT 490 is on file "C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb".

    ESENT 439 (1 time):  svchost (19680) Unable to write a shadowed header for file C:\Windows\system32\LogFiles\Sum\Api.chk. Error -1032.

    ESENT 454 (1 time):  svchost (19680) Database recovery/restore failed with unexpected error -1032.

    Friday, September 1, 2017 1:46 AM
  • I have an update for you. This morning I attempted to connect one of my computers to the VPN and it connected then instantly disconnected, like its been doing since I installed Windows Server 2016 Essentials. I checked the IIS certificates and now there are two issued by GoDaddy. Restarting the IIS server doesn't fix the VPN issues. I have to actually reboot the whole server.
    • Edited by Joe_R Friday, September 1, 2017 2:44 PM
    Friday, September 1, 2017 2:41 PM
  • Another update. I tried to connect to my VPN again today and it would connect and then immediately disconnect so I remoted into the server and now there is a third GoDaddy issued certificate. It looks to me like whatever issue is causing new certificates to be generated is also behind the VPN connectivity issue some of us are experiencing. Every time a new certificate is generated, the VPN functionality seems to break until the server is restarted. I hope this information helps in getting this bug patched.

    • Edited by Joe_R Monday, September 4, 2017 1:14 AM
    Sunday, September 3, 2017 6:08 AM
  • Hi,

    We are working on this issue now, any update will be provided as soon as possible.

    Best Regards,
    Eve Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 4, 2017 2:16 AM
    Moderator
  • Hi,

    Please collect the following information:
    1. Enable CAPI2 event log with the steps within the link below. Then reproduce the issue that the certificate was added again, and help save the CAPI2 event log as .evtx file and upload it.

    Enable CAPI2 event logging to troubleshoot PKI and SSL Certificate Issues:
    https://blogs.msdn.microsoft.com/benjaminperkins/2013/09/30/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues/

    2. For the new added certificate, please view it and capture the screenshot so that I could see the Serial number. And please capture the screenshot of the last certificate as well. Such as below screenshot:


    3. Run the following command and upload the result:
    certutil -silent -store my >c:\my.txt

    4. Run the following command and upload the result:
    schtasks /query /FO CSV /V >C:\output.csv

    5. Run the following command and upload the result:
    wevtutil epl System C:\system.evtx
    wevtutil epl Application C:\app.evtx

    Thanks for your time and effort. 

    You can upload files/screenshots to OneDrive(https://onedrive.live.com/). Share them and provide me the access link. 

    Share OneDrive files and folders:
    https://support.office.com/en-gb/article/Share-OneDrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 5, 2017 1:53 AM
    Moderator
  • Hi Eve,

    Thanks for the reply. I can collect the data, but how will I share it so it is private for you only? Do I need your email address? I do not see a way to send private messages on this forum.

    Regards,

    Mark Berry

    Tuesday, September 5, 2017 4:03 PM
  • Hi,

    Due to company’s security procedures/policies, as the forum supporter, we can only contact customer via forum reply, and we are unable to provide personal information (such as contact mail address, phone number) to thread owner.

    If necessary, Microsoft also provide other technical support method, using mail or phone, which will be more secure and more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

    Just contact Microsoft Customer Support and Services - Global Customer Service phone numbers:
    https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

    Thank you for your understanding. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 6, 2017 2:06 AM
    Moderator
  • Thank you Eve. When I have time to collect the requested info, I will start a new thread in the Microsoft partner forum.

    Regards,

    Mark Berry
    MCB Systems

    Friday, September 8, 2017 2:49 AM
  • Hi,

    It’s my pleasure~

    If there is any other we can do for you, please feel free to let me know. Also, if possible, please share your solution if the problem has been resolved. It would be helpful for other people who has the similar problem.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, September 8, 2017 6:01 AM
    Moderator
  • Here is a link to all the information you requested. Thank you for taking the time to help get this bug tracked down.
    Friday, September 8, 2017 7:31 AM
  • Was this ever resolved? I am having the same issue, every 2 days IIS changes its cert from the correct GoDaddy SSL to the RWA cert and it's causing issues.
    Friday, September 8, 2017 5:54 PM
  • Hi Joe_R,

    In general, there is one question for one customer within one thread, as environment, configuration and etc. may be different. Please post a new thread for your question, provide detail description.

    Thank you for your understanding.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 11, 2017 8:55 AM
    Moderator
  • Eve - I have started another thread in the partner forum. I wanted to note that the certutil command generates several errors. I added 2>&1 at the end so I could capture stderr and stdout in the same text file.

    certutil -silent -store my >c:\my.txt 2>&1

    Joe (and others) - if you start a new thread, please add a link to it here. I'll be interested to see any resolution you receive.

    Regards,

    Mark Berry
    MCB Systems

    Wednesday, September 13, 2017 12:50 AM
  • Hi,

    Thank you for your updating.

    I had test on my environment, a newly build server does not has similar problem, new Go Daddy Certificate will be added only when re-running/re-enabling RWA via Anywhere Access Wizard. As far as I know, when using Microsoft domain name, Certificate is automatically installed during the RWA configuration. 

    I am wondering if background process which belongs to RWA configuration wizard had run automatically/triggered. I am unable to have an further identification as I am unable to reproduce it on my environment.  However, it is my personal point of view, and just for your reference.
     
    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 13, 2017 9:09 AM
    Moderator
  • Hi Eve,

    In your test environment, did you enable VPN as well as RWA?

    Another possible difference between my environment and yours:  I set a static address pool for the VPN as explained here:

    https://www.mcbsys.com/blog/2017/08/set-a-static-ip-address-pool-for-your-2016-vpn/

    However this may not be very common. 

    Regards,

    Mark Berry

    Wednesday, September 13, 2017 11:59 PM
  • Another question:  what locale are you using, and specifically, what date format? Please try U.S. locale with format mm/dd/yyyy. (I am wondering if there is a problem with date comparison, making the server think it has an expired certificate when in fact it is still valid.)

    Regards,

    Mark Berry


    • Edited by mcbsys Friday, September 15, 2017 2:57 PM
    Friday, September 15, 2017 1:47 AM
  • Hi,

    I had tried to configured just as you mentioned.

    If there is any update, I will reply to let you know.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 15, 2017 9:51 AM
    Moderator
  • Not sure if this will help anyone or if it pertains to your specific issue but the resolution for me was to export the existing cert, then reimport to Essentials so it would quit trying to install its own.
    Monday, September 18, 2017 3:00 PM
  • @sjackowski,

    So you initially reported on Sept. 8 that IIS was incorrectly using the RWA cert. But they are the same cert, right?

    And your solution was to export the cert, then run the RWA wizard to import re-import the cert? Clever workaround, though it doesn't explain the root cause.

    I've been working with partner support and determined that my server did not have the intermediate cert that issued the Go Daddy cert (“Go Daddy Secure Certificate Authority – G2”). But even after adding that intermediate cert, the system continues to auto-request and install a new cert after exactly 24 or 48 hours after determining that the existing one has expired.

    I've learned that the most relevant log is this text file:

    C:\ProgramData\Microsoft\Windows Server\Logs\SharedServiceHost-ManagementServiceConfig.2.log

    Mark Berry
    MCB Systems


    • Edited by mcbsys Monday, September 18, 2017 10:43 PM correct the log name
    Monday, September 18, 2017 10:41 PM
  • Hi,

    My test environment only has 2 certificates from GoDaddy untill now, one the original which added when enable RWA for the first time, another is added during a later test (disable and re-enable RWA).

    If there is anything others I can do for you, just let me know. 
     
    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 20, 2017 10:16 AM
    Moderator
  • Got the exact same problem on four servers. Three Essentials 2016 and one Essentials 2012 R2.

    New xxxx.remotewebaccess.com certificates created every 1-2 days. And brakes SSTP VPN connection.

    Got several other Essentials 2012 R2 servers with no problem at all.


    • Edited by larsa001 Tuesday, October 31, 2017 1:46 PM
    Tuesday, October 31, 2017 1:43 PM
  • @larsa001,

    After investigation by reps in the partner forum, there is a hypothesis that this happens on machines where the certificate is issued with _two_ Subject Alternative Names (SANs), one as xxxx.remotewebaccess.com and one with a "www" prefix, www.xxxx.remotewebaccess.com. The servers with a _single_ SAN for xxxx.remotewebaccess.com do not generate new certs every two days.

    Since you have several machines with and without the error, can you check the certificate SANs and see if this theory holds true?

    Thanks,

    Mark 

    Tuesday, October 31, 2017 4:05 PM
  • @Mark

    That is correct. On the Machines with problems i have the DNS Name=www.xxxxxx.remotewebaccess.com and DNS Name=xxxxxx.remotewebaccess.com

    And on the non problematic Machines only DNS Name=xxxxxx.remotewebaccess.com

    I have checked a couple of my servers and it looks that way.

    Do you have any clue of this behaviour?

    Tuesday, October 31, 2017 8:21 PM
  • @larsa001,

    As I understand it, when deciding every two days whether to request a new certificate, the server looks in the certificate store for an existing certificate named xxxx.remotewebaccess.com. Somehow the presence of the extra SAN starting with www. causes this search to fail, so, thinking no certificate is present, the server requests a new certificate.

    What is not clear is whether this is an issue in the server or at Go Daddy:

    - I haven't examined the Certificate Signing Request (CSR), but support tells me that it does not specify a SAN. Maybe if the server explicitly requested only one SAN, it would not get the extra one.

    - Or maybe Microsoft could just ask Go Daddy to skip adding the "free' www. prefix to certs for the remotewebaccess.com domain.

    Regardless, the server logic should be corrected so that it inspects all SANs when searching for an expected certificate. Then it would not matter if Go Daddy added the www.

    The only workaround suggested was to go back to the issuing self-signed certs. I will pay for a cert before I do that.

    • Marked as answer by mcbsys Saturday, November 4, 2017 9:00 PM
    Tuesday, October 31, 2017 10:35 PM
  • It looks like you may be on to something. I just checked my certificate details and there are two listings under Subject Alternative Name. 
    Wednesday, November 1, 2017 2:10 AM
  • Does anyone know if MS or GoDaddy investigates this?
    • Edited by larsa001 Wednesday, November 1, 2017 10:05 AM
    Wednesday, November 1, 2017 10:04 AM
  • Partner Support is provided in a private forum. For some reason, although they have duplicated and documented the issue, they are not able to internally escalate an issue as a bug. They say they have "emailed" the Essentials team, but they advise me to open a telephone support incident. If I recall correctly, that means I have to agree to pay $499 until I convince them that I am reporting a bug. And it means starting over with documenting, tracing, screen shots, etc. 
    Wednesday, November 1, 2017 4:00 PM
  • @larsa001

    Are your Server 2012R2 machines which are facing this problem also receiving certificates with 2 Subject Alternative Names?

    Thursday, November 2, 2017 7:08 AM
  • @Roy1991

    Yes, both Server 2012R2 and 2016 receiving certificates with 2 Subject Alternative Names.

    Thursday, November 2, 2017 7:25 AM
  • @larsa001, can you identify a rough date when the 2012R2 certs started getting duplicated? Did older certs on the same machine have only one SAN?

    Wondering if Go Daddy started adding a second SAN after a certain date and most of us only noticed it on newer 2016 installs. Which means that when older 2012R2 installs do their annual renewal, they may also fall into this renewal loop.

    Thursday, November 2, 2017 3:31 PM
  • The 2012R2 server was installed at 2017-08-22 and received from the beginning a second SAN.

    Servers installed before that one do not have that problem. The server that was installed at the earliest before was around 2017-01

    Thursday, November 2, 2017 3:44 PM
  • Found one 2012R2 Essentials installed 2017-04-28 with no problems. So something happened between 2017-04 and 2017-08 that causes this problem.
    Thursday, November 2, 2017 3:50 PM
  • I have given up. Will buy a certificate and add a new address (not remotewebaccess.com) for the 2016 server. The other servers does not use SSTP VPN, so they may be as they are.

    Hope MS and GoDaddy solve this some day.


    • Edited by larsa001 Friday, November 3, 2017 2:00 PM
    Friday, November 3, 2017 1:58 PM
  • @larsa001, thanks for the info you've provided. Definitely helps to have several examples to look at.

    To buy a certificate, you probably know already that Essentials has a wizard for creating the certificate signing request, usually as remote.yourdomain.com. Well it used to; I haven't done this for a while. You can buy a 3-year Comodo Positive SSL cert for $15 at https://cheapsslsecurity.com/.

    Friday, November 3, 2017 5:06 PM
  • @mcbsys Discovered one thing that complicates this. Found a server 2012R2 installed 2017-04 with www in SAN. And not renewing the certificate for 1-2 days. And SSTP VPN works.

    And yes i know about the certificate signing request, but thanks anyway :)




    • Edited by larsa001 Friday, November 3, 2017 6:34 PM
    Friday, November 3, 2017 6:27 PM
  • Interesting. If you want to dig into it, you can compare entries in log files

    C:\ProgramData\Microsoft\Windows Server\Logs\SharedServiceHost-ManagementServiceConfig.log

    Look for events like this:

    [18100] 171025.012348.2442: DomainManager:DefaultCertificateServiceProvider: FindCertificateForDomain called for domain mydomain.remotewebaccess.com
    [18100] 171025.012348.2442: DomainManager:CheckCertificateExpirationTask: Certificate reported as expired, calling expiration handler
    [18100] 171025.012348.2442: DomainManager:Service: CertificateExpirationHandler: trusted cert near expiration, will submit renew request

    Wait a second, now I see that my most recent cert is from October 25. Do you have others since then? I wonder if one of the registry tweaks that support had me do is still in place ... there was one that disabled renewals altogether, I think...


    Friday, November 3, 2017 7:03 PM
  • Yes my latest renewal was today.
    Friday, November 3, 2017 9:22 PM
  • Okay I've tried to document this issue and the current status here;

    https://www.mcbsys.com/blog/2017/11/essentials-certificates-re-issued-every-two-days-vpn-fails/

    Saturday, November 4, 2017 9:29 PM
  • Regarding the VPN issue.

    The RAS stays with the old certificate, when a new i created. And you have to rebind with the new one every time it changes. Othervice VPN connect and instantly disconnetcs.

    Monday, November 6, 2017 7:44 AM
  • Re. VPN, does it rebind automatically to the new cert if you reboot the machine? I wonder if restarting the related service would fix it? Sounds like this is also a bug, just one that is not usually noticed when the cert re-issues every three years.
    Monday, November 6, 2017 4:01 PM
  • Usually, but not always I have noticed.

    But only restarting the service does not do the trick. When you rebind the new certificate in Routing and Remote access, you are asked if you want the required services restarted. And if you let it do that, all is fine till a new certificate i generated.

    Monday, November 6, 2017 6:58 PM
  • @laras001, on my 2016 machine, the cert hasn't auto-renewed since October 25. VPN connects (e.g. from a laptop) and I can ping the server, but I can't browse shared folders. I wanted to check the certificate binding. You mention needing using RRAS. How? I never got RRAS working on 2016 (see this post: https://www.mcbsys.com/blog/2017/08/set-a-static-ip-address-pool-for-your-2016-vpn/). Are you re-binding through PowerShell?

    [Edit:  okay using PowerShell "Get-RemoteAccess", I see that it is using the certificate from October 25, so that's not the cause of my problem. Still wondering how you have been rebinding, though.]

    Also, I just realized that something DID change in my environment about the time that the cert stopped auto-renewing:  I replaced a Linksys E2000 router running Tomato with a UniFi USG router. As far as I know, UPnP is turned off on both. Do you see any correlation between routers and which certs auto-renew?


    • Edited by mcbsys Monday, November 13, 2017 10:44 PM
    Monday, November 13, 2017 10:38 PM
  • Hi

    To use RRAS to rebind you have to folow this https://glennopedia.com/2017/08/25/how-to-re-deploy-vpn-in-2016-essentials-in-legacy-mode/

    And I did also replace my router in one of the 2016 enviroments. From a Dell Sonicwall to an UnifI EdgeRouter X, for me that did not change anything.

    Tuesday, November 14, 2017 7:16 AM
  • Great article, thanks. It looks like it should be possible to update the certificate via PowerShell (Set-RemoteAccess -SslCertificate); in fact, he covers that in another article:  https://glennopedia.com/2017/08/25/how-to-re-deploy-vpn-in-2016-essentials-with-powershell/. For occasional use, though, it sure is easier to check and change in the GUI.
    Tuesday, November 14, 2017 6:16 PM
  • Hi there,

    Just to confirm you all guys, thanks to the whole information collected above, I did proceed to buy a wildcard certificate and it was installed in the server (WS 2016), the Everywhere Access service was reset with the new domain (corporate domain) instead to the free Microsoft's domain (xxxx.remotewebaccess.com), along the new certificate. I can confirm it worked and it is not renewing the certificate after 24h, 5 days have gone and it is working nicely.

    So seems that it was something related SAN record in the Go Daddy certificate as you deducted before.

    Kind regards,

    Monday, December 11, 2017 2:50 PM
  • This thread has been very helpful in getting my mind wrapped around this issue. Has anyone found out if this will be fixed in a future cumulative update? Should I just sit and wait or are we just forced to buy our own certs now?
    Tuesday, January 2, 2018 4:05 PM
  • A system restore from a backup with working VPN might be the solution.
    I had been facing the same problem until I restored the system to a backup point where the VPN works. After the restore, the VPN stays working properly.  


    • Edited by Aar0nS Friday, March 9, 2018 7:47 AM
    Friday, March 9, 2018 7:41 AM
  • Given that this has been broken for over 6 months, I decided to go with a very clunky brute-force workaround since I'm mainly interested in getting the SSTP VPN to function, at least after a fashion. I'm just using it for a home file server, so as bad as it is, this will be my free solution.

    In the Event Viewer, Windows Logs, System, I saw an HttpEvent 15301 that occurs every 24 hours and rebinds the SSL cert. When you're lucky, GoDaddy doesn't issue you a new cert and everything is fine, but every couple of days I do get a new one and the VPN breaks.

    Right-clicking on that event, I attached a simple scheduled task that reacts to the change by running a batch file as SYSTEM which restarts a bunch of remote access and SSTP services -- probably more than is needed, but it's better than rebooting.

    net stop remoteaccess
    net stop RaMgmtSvc
    net stop rasman
    net stop sstpsvc
    timeout 3
    net start sstpsvc
    net start remoteaccess
    net start ramgmtsvc

    This worked, and even after getting a new SSL cert, the VPN works after the services restart.

    In rrasmgmt.msc (see responses above about how to get that working), I have the server's security properties set to use the Default cert, so when it restarts, whatever is bound to HTTP.sys is used. That may be the default configuration, so probably not something you have to worry about unless you changed it during previous trouble shooting attempts.

    Obviously, anyone connected via VPN gets dumped when this occurs. Unfortunately, I believe the best you can do is use the Dashboard to run the Anywhere Access repair wizard at whatever time you feel is the least inconvenient for it to happen each and every single day.

    • Edited by David__F Sunday, March 18, 2018 2:44 AM
    Sunday, March 18, 2018 2:35 AM
  • is there a proper fix for this problem I currently have two 2016 essentials with this issue and would like to resolve it.

    I have set a script in task scheduler however this lets the vpn connect but does not allow access as obviously the ssl cert is a different one each time and i have no option to set a default..

    Monday, May 28, 2018 7:47 AM
  • Wow, I started a sep thread to try and get this resolved but finally came upon this one.  How is this not solved yet?

    I'd gladly install a new cert purchased for $70 from Godaddy and redirect a domain but the documentation on it is horrible.  Anyone have a good route at that to get anywhere access working?

    Tuesday, June 5, 2018 1:19 AM
  • I've just installed Server Essentials 2016 and am having the same problem. It's quite unbelievable that this problem still exists. My customer is losing all confidence in Windows Server, let alone my recommendation to use it in the first place.

    Please can we have a fix for this NOW!!

    Monday, July 2, 2018 5:14 PM