• Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
  • Home
  • About
  • Imprint
Toggle navigation
Admin Enclave
  • Home
  • Articles
    • Office 365
    • Exchange
    • Skype for Business (Lync)
    • Active Directory
    • Windows
    • Sharepoint
    • Joomla
    • Linux
    • Other
    • Blackberry
  • Project: Nagios Monitoring
    • First steps
    • NSCP installation
    • Scripts
    • FAQs
  • Links
Home
/
Articles
/
Office 365
/
Data-Articles
/
Website Articles
/
Articles
/
Exchange
/
[RESOLVED] The remote certificate is invalid according to the validation procedure.

[RESOLVED] The remote certificate is invalid according to the validation procedure.

Bastian W.Nov 15, 2016Articles \ Exchange

Abstract: If an 3rd party environment (e.g. an Microsoft SQL Server) connect to an Microsoft Exchange Server you might see an error message like "The remote certificate is invalid according to the validation procedure" in the logfiles.

The full error message you might see (depending on the environment which is connecting to the MS Exchange Server) is:

The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 1 (2016-07-16T12:44:02). Exception Message: Cannot send mails to mail server. (The remote certificate is invalid according to the validation procedure.).

 

Root cause:

The root cause here is a problem with the certificate validation. Multiple solutionsmight apply here (some are outlined below).

 

Troubleshooting:

So the first step would be to check which SSL certificate is used on our MS Exchange Server.

1.) On the affected OS (where our application is running on) where we need to troubleshoot the SMTP problem we need to install OpenSSL

2.) Perform an connection from the affected OS to the MS Exchange environment via:

openssl s_client -connect exchange01.int.contoso.com:25 -starttls smtp

or for a standard secure smtp port:

openssl s_client -connect exchange01.int.contoso.com:465

3.) If the port is open you will get an result which should look similar like:

C:\OpenSSL-Win32\bin>openssl s_client -connect exchange01.int.contoso.com:25 -starttls smtp
CONNECTED(000000F4)
depth=1 DC = com, DC = contoso, DC = int, CN = Contoso Subordinate CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=exchange01.int.contoso.com
i:/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
1 s:/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
i:/CN=Contoso Offline Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[SNIP SSL Server certificate here SNIP]
-----END CERTIFICATE-----
subject=/CN=exchange01.int.contoso.com
issuer=/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4024 bytes and written 423 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 6F1D0000A16611FFD0185771000EB3F60C608E3B51363E827BF8CC5F4F1C31DF
Session-ID-ctx:
Master-Key: 26978F25E762B883EA34AC65673D8718A4777ACCF15BC75E7453BB3286BC4A265727C9067A4B8844CB2E20F84034FE29
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1487166762
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
250 XRDST

4.) once the connection is active you can try to send an email via the normal telnet way (like mentioned here for example).

 

If that is working, you need to focus on the SSL certificate as depending on your environment multiple solutions might apply here (as already outlined):

 

Solution 01: A certificate chain could not be built to a trusted root authority:

The error mentioned here could be RemoteCertificateChainErrors. To make sure that the SSL certificate chain is trusted on the affected solution you need to focus on the certificates inside the chain. For our environment the chain would be:

Certificate chain
0 s:/CN=exchange01.int.contoso.com
i:/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
1 s:/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA
i:/CN=Contoso Offline Root CA

Solution (Windows OS):

The solution here is now to make sure that the full SSL certificate chain is trusted on the affected environment. If that is an Microsoft SQL server which is running on an Windows Server OS (obviously) then make sure that the root (/CN=Contoso Offline Root CA) and intermediate certificates (/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA) are in the trusted SSL store on the windows server OS. That solution also should work on all other products which use the Windows OS SSL store.

Solution (Java Certificate store):

The solution here is now to make sure that the full SSL certificate chain is trusted on the affected environment. To do that make sure that the root (/CN=Contoso Offline Root CA) and intermediate certificates (/DC=com/DC=contoso/DC=int/CN=Contoso Subordinate CA) are in the Java Key store. See here for an howto.

 

Solution 02: SSL certificates expired

Make sure that the SSL certificate used for the SMTP service offered by the Microsoft Exchange Server is not expired. If that happen your might also see the error "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file".

 

Solution 03: Certificate name mismatch

The error could be also RemoteCertificateNameMismatch. Make sure that the SSL certificate used for the SMTP service offered by the Microsoft Exchange Server match the hostname you are using.

 

Solution 04: SSL certificates revoked

Make sure that the SSL certificate used for the SMTP service offered by the Microsoft Exchange Server is not revoked.

 

 

Solution 05: Selfsigned certificate used:

If the response above showed an self signed ssl certificate used for the SMTP service offered by the Microsoft Exchange Server, then you should change that. Get an trusted SSL certificate for your Microsoft Exchange and activate that for the SMTP service via (more infos here):

Enable-ExchangeCertificate -Thumbprint 434AC224C8459924B26521298CE8834C514856AB -Services SMTP

A workaround here would be to add the selfsigned certificate into the trusted root CA folder on the affected Microsoft OS. To do that do the following:

a.) inside a CMD enter MMC

b.) Add the certificate snapin (computer account)

c.) Import the self signed certificate into the "Trusted Root Certification Authorities" folder

 

Cross information:
https://blogs.msdn.microsoft.com/jpsanders/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure/

Comments (0)

There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
Attachments (0 / 3)
Share Your Location

2016 - MS ExchangeExchange 2013Exchange 2016Exchange

Follow me on Twitter

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Friday, 20 March 2020
  • Update TPM Firmware on Windows 10 1909

    Saturday, 15 February 2020
  • Switch your PC from BIOS to UEFI

    Tuesday, 07 January 2020
  • WLAN 6 (AX) released

    Monday, 23 September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Saturday, 23 March 2019

Tags

Exchange 20162016 - MS ExchangeServer 2015Hardening2016 - MS Skype for Business Server 2017 - MS WindowsWindows Server 2012Windows2017 - MS ExchangeExchange 20132016 - MS Windows2013Exchange2017 - MS Skype for Business Server 2016 - MS SharepointRaspberry PiMicrosoftOpenHABHomeMatic2017 - MS Sharepoint

Archive

      • How to connect a Osram On/Off Plug with Phoscon/deCONZ
      • Update TPM Firmware on Windows 10 1909
      • Upgrade the BIOS from an ReadyNAS device
      • Switch your PC from BIOS to UEFI
      • WLAN 6 (AX) released
      • [ReSolved] Get-MailboxRestoreRequest matches multiple entries and couldn´t be performed
      • Use deCONZ to perform an OTA firmware update of OSRAM devices
      • Remove the Transparent Data Encryption (TDE) from a SQL DB
      • Install OpenHAB 2.4.x on Raspberry Pi (on Debian 9 - Stretch)
      • Windows 10 Driver for HP EliteBook 2570p Notebook-PC
      • Windows 10 Driver for HP EliteBook 850 G1 Notebook
      • Windows 10 Driver for HP EliteBook 8570p Notebook
      • Windows 10 Driver for IBM Thinkpad T560 Notebook
      • Windows 10 Driver for HP EliteBook 850 G5 Notebook
      • Windows 10 Driver for Lenovo T560 Notebook
      • Add an additional Sharepoint Admin to every Site Collection via Powershell
      • Do not install .NET Framework 4.7.2 on Exchange Servers yet
      • [Resolved] Unable to Migrate User to O365 due to "Target user 'XYZ' already has a primary mailbox"
      • Migrate SharePoint Elements to SharePoint Online
      • Microsoft Exchange OU picker is empty when creating new user or group
      • Exchange Online Powershell failed to connect when using MFA
      • Move-DatabasePath caused a "WMI exception occurred on server XY: Quota violation"
      • Privacy Policy
      • D:\AdvancedDataGovernanceLogs created on Exchange 2016
      • After May 2018 security update "An authentication error occurred" using RDP
      • Find out which .NET Framework version is installed
      • Install OpenHAB 2.0.x on Raspberry Pi (on Debian 9 - Stretch)
      • Convert a *.pfx certificate into *.pem
      • Changing last modified and creation date or time via PowerShell
      • Multidimensional arrays in Powershell
      • HowTo create an Enterprise Wiki on SharePoint Online
      • Attention: Microsoft Office 365 will disable support for TLS 1.0 and 1.1
      • [RESOLVED] Graphics Card issue when installing BlueStacks inside VMWare
      • How to create a pkcs12 file with a ordered certificate chain?
      • Publish an S/Mime certificate to AD via Powershell
      • [RESOLVED] iOS accounts needs permission to access resources in your organization that only an admin can grant
      • [RESOLVED] Exchange 2016 CU X failed to install error 1619
      • Headless Raspberry Pi WLAN Configuration
      • How to remove all partitions on an USB stick / SD card
      • How to generate a notifications once Handbreak finished its current work?
      • Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP
      • Security Hardening: Upgrade Diffie-Hellman Prime to 2048 bit on Windows Server
      • Change a SSL Certificate on Windows Server 2012 R2 Web Application Proxy
      • Add Windows Updates to a Windows 7 SP1 image
      • When using Import-Module you got an unblock file error
      • [Resolved] Exchange admin got the error "User profile cannot be loaded" when using RDP
      • Google Chrome browser to deprecate trust in existing Symantec-issued certificates
      • [RESOLVED] Error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY when using Google Chome and OWA
      • Cumulative Update 6 for Exchange Server 2016 released
      • Windows Phone 8.1 will reach EOL on the 2017-07-11
      • .NET Framework 4.7.* and Microsoft Exchange Server
      • Disable weak cipher (e.g. 3DES, SSLv3, MD5, ...) suites in Java
      • [RESOLVED] "Could not find stored procedure" after installing SfB Server Updates
      • [RESOLVED] None of the network adapters are bound to the netmon driver.
      • [Resolved] No connectivity with any of Web Conferencing Edge Servers - Event 41026
      • Raspberry Pi - Connect to multiple wireless networks (WLAN) automatically
      • From 0 to Raspberry Pi (start with Raspberry Pi)
      • [RESOLVED] Exchange 2016 IIS not usable after installation from CU5
      • Microsoft Exchange 2007 reached end of life today
      • .NET Framework 4.7 released but not yet supported on Exchange 2016
      • .NET Framework 4.7 released but not yet supported on Skype for Business
      • Using Quest ActiveRoles Management Shell to add/update all users from a OU inside an AD group
      • [RESOLVED] Can´t install Office Web Apps Server because it requires .NET 4.5
      • Cumulative Update 5 for Exchange Server 2016 released
      • Using the Skype for Business device update service
      • Enable XA transactions on Microsoft SQL 2012
      • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code
      • WES7 is crashing on VMWare Workstation
      • WES7 / WES8 OS deployment issue on VMWare Workstation
      • [RESOLVED] Growing amount of missing disk space on Microsoft Exchange
      • Disabling TLS 1.0 on Microsoft Sharepoint
      • Reset the content index on an MS Exchange DAG environment
      • Deploy the Statistics Manager for Skype for Business Server
      • HowTo add own formats to the TinyMCE Editor in Joomla?
      • Create a Kerberos authentication account in Skype for Business
      • Hardening Microsoft Exchange 2016 Server
      • Hardening Microsoft SharePoint 2016 Server
      • Hardening Microsoft Skype for Business Server
      • [Workaround] "Screen presenting isn't supported with this contact" with SfB MAC
      • [RESOLVED] Black or frozen screen during screensharing in Skype for Business 2016
      • Exchange Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SfB Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • SharePoint Windows OS Hardening: Disable SSL 2.0/3.0 & PCT 1.0 & weak ciphers
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Configure https for Windows Remote Management (WinRM) on Windows 2012 R2
      • Hardening Skype for Business Server
      • [RESOLVED] You do not have the permission to send the message on behalf of the specified user
      • Copy Windows Installation DVD to ISO
      • [RESOLVED] The remote certificate is invalid according to the validation procedure.
      • Prevent that the Skype for Business client will open when the user click on an meeting URL
      • Test GroupPolicy (*.admx templates) locally without AD
      • Implementing the Skype for Business Call Quality Dashboard
      • Configure / Finetune the Microsoft Exchange search / indexing feature
      • Disable content indexing on all DBs on an Exchange DAG
      • HowTo: create Search Sharepoint 2013 Foundation Application via Powershell
      • Migrate from Exchange 2010 to Exchange 2016
      • Enable TLS 1.2 on Windows 2012 R2
      • Download Skype for Business for MAC
      • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size
      • How to get only a subset from a 2 GB big logfile?
      • Add the Internet Explorer 11 and Updates to a Windows 7 SP1 image
      • [RESOLVED] MSExchange Mailbox Replication error 1006 (database doesn't exist)
      • Nagios Core 3.x installation guide on Debian 8.x (Jessie)
      • Move Exchange 2010/2013 user to Exchange 2016
      • [RESOLVED]: "Whole calendar" greyed out when publishing a calendar via Outlook on a webdav server
      • SfB Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Exchange Windows OS Hardening: Disable the "X-AspNet-Version" header
      • SharePoint Windows OS Hardening: Disable the "X-AspNet-Version" header
      • Powershell: Clean (Remove) all completed Exchange Mailbox move requests
      • HP Data Protector isn´t able to browse an Exchange 2016 DAG
      • Powershell: Get a list from all Exchange users, where the latest logon time is older then 270 days
      • Usefull links
      • Hardening Microsoft Exchange 2013 Server
      • [Solution] Skype for Business Error: This message wan´t send to Firstname LastName
      • Step-By-Step: Configuring Office Online Server with Skype for Business
      • Troubleshooting connection issues from users migrated from Exchange 2010 to Exchange 2013/2016
      • Skype for Business Server DB update needed after patch management
      • How to check the progress of the ‘Shrink Database’ task in SQL Server 2012
      • Build an MS Exchange Throttling Policy to remove inactive mobile device partnerships
      • Exchange Windows OS Hardening: Disable NTFS 8 Dot 3
      • SfB Windows OS Hardening: Disable NTFS 8 Dot 3
      • SharePoint Windows OS Hardening: Disable NTFS 8 Dot 3
      • Windows OS Hardening: Disable NTFS 8 Dot 3
      • [RESOLVED] Centralized Logging Service Agent Error while moving cache files to network share.
      • [RESOLVED] MS Web Application Proxy used with SfB caused a Error 502
      • Manage the SSL certificate on Exchange 2016 via Powershell
      • [RESOLVED] How to fix damaged or corrupt Health Mailbox on Exchange 2016
      • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"
      • Homematic IP Schalt und Steckdose mit CCU 2 verbinden / anlernen
      • Exchange 2010 to Exchange 2016 Co-Existence migration OWA redirect not working
      • Factory reset HomeMatic IP devices
      • Factory reset / Werksreset von HomeMatic IP Geräten
      • Pairing / Using Homematic IP Pluggable Switch and Meter with an CCU2
      • [Resolved] A Skype for business user isn´t able to join meeting via invitation link
      • Installation von BluePy auf dem Raspberry Pi
      • Install BluePy on Raspberry Pi
      • Released: Microsoft Exchange 2016 CU 2
      • Install OpenHAB 1.x on Raspberry Pi
      • Installieren von OpenHAB 1.x auf dem Raspberry Pi
      • Rebalance Mailbox Databases in an Exchange Server DAG via TaskManager
      • Fix a failed and suspended content index state on MS Exchange
      • Howto send an email using telnet
      • Hardening Windows Server (Basic Steps)
      • [RESOLVED] No DNS servers could be retrieved from network adapter 00000000-0000-0000-0000-000000000000
      • [RESOLVED] Setup can't use the domain controller because it belongs to Active Directory site
      • Use MS Web Application Proxy as reverse proxy (and ADFS) with Skype for business
      • [RESOLVED] Error message 0x80094004 when completing a certification request on IIS
      • [RESOLVED] Unable to collect NUMA physical memory utilization data. The first four bytes (DWORD) of the Data section contains the status code.
      • Get all Exchange user inclusive details from a list of AD groups
Admin Enclave

The Admin enclave delivers the latest news, quick tips, useful tricks, and in-depth tutorials for IT pros working with IT solutions (e.g. Microsoft Sharepoint, Microsoft Exchange, Microsoft Skype for Business, Joomla, ...).

Follow Us

Recent Posts

  • How to connect a Osram On/Off Plug with Phoscon/deCONZ

    Friday, 20 March 2020
  • Update TPM Firmware on Windows 10 1909

    Saturday, 15 February 2020
  • Switch your PC from BIOS to UEFI

    Tuesday, 07 January 2020
  • WLAN 6 (AX) released

    Monday, 23 September 2019
  • Use deCONZ to perform an OTA firmware update of OSRAM devices

    Saturday, 23 March 2019

Popular Posts

  • How to fix “The program can’t start because MSVCR110.dll is missing from your computer.” error on Windows

    Sunday, 07 April 2013
  • [RESOLVED] You do not have the permission to send the message on behalf of the specified user

    Wednesday, 16 November 2016
  • [RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size

    Thursday, 13 October 2016
  • [RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code

    Wednesday, 08 March 2017
  • [RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"

    Wednesday, 13 July 2016
© 2012 - 2021 admin-enclave.com | Disclaimer | Privacy Policy | Imprint | Articles by year