UM (Exchange and OCS) Cert Issue - Post Install of New Cert

  • Article

I recently had to replace a near to expired certificate on a Exchange 2007 SP1 server.

This machine had two certificates:

1) External certificate with the various names required: mail.compABC.com, autodiscover.compABC.com, ect

2) Internal certificate (AD integrated CA) added to publish the internal name and services of the server

 

After replacing the external certificate we started to get UM errors.

 

On the Exchange server the following errors were seen:

 

Event Type: Warning

Event Source: MSExchange Unified Messaging

Event Category: UMService

Event ID: 1113

Date: 11/5/2008

Time: 11:41:38 AM

User: N/A

Computer: ExchangeUMServer

Description:

The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Check that this is a configured TLS peer and that the correct certificates are being used. More information: A TLS failure occurred because the remote end disconnected while TLS negotiation was in progress. The error Code was -2146233088 and the message was Unknown error (0x80131500). .

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

On the OCS server the following errors were see:

 

Event Type: Error

Event Source: OCS Inbound Routing

Event Category: (1037)

Event ID: 45024

Date: 11/7/2008

Time: 11:13:56 PM

User: N/A

Computer: OCSServer

Description:

Missed call notifications cannot be sent.

An attempt to use an Exchange UM Server for a missed call notification failed: ExchangeUMServer.CompABC.Com.

Failure occurrences: 1, since 11/7/2008 11:13:26 PM.

Failure Details: Failure occurred while connecting. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider outgoing TLS negotiation failed; HRESULT=-2146762487

Cause: The Exchange UM server may be experiencing a problem.

Resolution:

Examine the event logs on the indicated Exchange UM server to determine the cause of the problem.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

 

After some random time OCS to Exchange voicemail would stop.

Restarting the Exchange Speech Service (and Ex UM service dependency) resolved the issue temporarily.

 

Looking through the Logs on the Exchange Server I found the following event id that stated that the external cert was being used for UM.

 

Event Type: Information

Event Source: MSExchange Unified Messaging

Event Category: UMService

Event ID: 1112

Date: 11/8/2008

Time: 8:52:57 AM

User: N/A

Computer: ExchangeUMServer

Description:

The Microsoft Exchange Unified Messaging service will attempt to use a certificate with the following details: IssuerName = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, IsSelfSigned = "False", NotValidAfter = "11/1/2011 8:40:41 AM". The path to this certificate is "C:\Program Files\Microsoft\Exchange Server\UnifiedMessaging\UMServiceCertificate.cer".

 

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

 

Thus real issue was that OCS to Exchange UM needs the ISSUE TO name to be the FQDN of the internal server – which was not the case for our external cert.

 

So we could re-issue the external cert and expose the internal name or we could just force UM to use the internal cert again.

 

Spending some time trying to figure out if the enable-exchangecertificate –service NONE command worked (my thoughts were just to remove the UM portion from the external cert) I found that the NONE command really does….well nothing….

 

So I thought about exporting and re-importing the external cert – problem is you can’t unless you move services (like hub transport) to a different cert….

Thus I was very close to looking for a new external cert when one of the Product Group members shared this little fact.

 

‘UM never care about what you do in enable-exchangecertificate –Services UM. UM has it’s own logic (similar in Transport) to pick the cert it uses. It prefer the latest CA issued cert…. if you create a new internal CA cert with FQDN of the UM server, UM will pick that over any other cert currently installed.”

 

So I requested a new internal cert – which automatically imported with the UM service enabled. Removed the old internal cert and restarted the Exchange UM Service.

 

Yep – as predicted it used the new internal cert. Problem solved.

 

Hopefully others can benefit from my pain.

 

rs