none
How to Analyze Remote Server's certificate to resolve validation error using OPENSSL?

    Question

  • Hi Team,

    I have often noticed issues where Exchange Online (Office 365) failed to complete connector validation due to "Certificate Name didn't match" on remote side where as customer either recently configured certificate or renewed it.

    I heard by someone said : 

    " Openssl will show us exactly which certificates are returned from a remote server.

    Sometimes certificates that we find on a system (get-exchangecertificate | fl) are not the certificates EOP will get presented while negotiating TLS or no certificate is presented at all, resulting in different kinds of TLS or attribution errors."

    Could you help me understand how to do we analize and understand the correct certificate used/set in inbound emails using below cmdlet?

    openssl s_client -connect remote.domain.com:25 -starttls smtp -showcerts


    Monday, November 13, 2017 2:35 PM

All replies

  • Hi Jatin,

    To analyze your question, I want to check:
    1. Do you mean the Inbound SMTP Email or Outbound SMTP Email by ExRCA (on Office 365 page)?
    2. Is it a hybrid environment with local Exchange server?
    3. Does the mail flow working well between "remote server" to Exchange Online?

    Moreover, please post the whole test process for further assistance (without sensitive information).

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, November 14, 2017 10:11 AM
    Moderator
  • Hi,

    Would you please post an update about your issue?
    Please post the answer as I asked above, it's very helpful to further troubleshooting.

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, November 20, 2017 1:05 PM
    Moderator
  • Hi Allen, What I mean is outbound connector validation failure, if you are unaware it’s from Office 365 to On-prem Exchange. This issues are common and one of the affected method to diagnosis is using BASE shell. “ Openssl will show us exactly which certificates are returned from a remote server. Sometimes certificates that we find on a system (get-exchangecertificate | fl) are not the certificates EOP will get presented while negotiating TLS or no certificate is presented at all, resulting in different kinds of TLS or attribution errors." Could you help me understand how to do we analize and understand the correct certificate used/set in inbound emails using below cmdlet? openssl s_client -connect remote.domain.com:25 -starttls smtp -showcerts Hope it can give you clear answers to check further.
    Tuesday, November 21, 2017 12:40 AM
  • To build secure communication between on-premise Exchange and Exchange Online, we need specify a certificate for transport when run HCW. And, Each transport server (if you add multiple server in HCW) must use a certificate that shares the same issuing CA and the same subject for hybrid secure mail to function correctly.

    Therefore, run below command to view the FQDN setting of Default Frontend <ServerName> on each transport server, ensure they use same host name:
    Get-ReceiveConnector -Server "ServerName" | ? {$_.Identity -like "*Default Front*"} | FL Identity,Name,FQDN
    Also, check the SAN on Exchange certificate (which one assign SMTP service).

    Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 24, 2017 6:04 AM
    Moderator
  • Hi Allen,

    My question was clear and what you have answered that's another method. so I have unmarked as "answer". Repeating my question here again:

    Could you help me understand how to do we analize and understand the correct certificate used/set in inbound emails using below cmdlet?


    openssl s_client -connect remote.domain.com:25 -starttls smtp -showcerts

    Friday, December 1, 2017 2:47 AM