切换到宽版
发帖 回复
返回列表
123
  • 27702阅读
  • 22回复

[求助]Exchange 2007 边缘出现证书错误 ID 12014 12015 [复制链接]

 上一主题 下一主题
达佰仕
技术学徒
只看该作者 10楼  发表于: 2013-09-10

edge上运行的结果如下:

[PS] C:\Windows\system32>Get-ExchangeCertificate |fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.jpe.cc, S08622.jinnpina.com.cn, S08622, autodisco
                     ver.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=jinnpina-S08603-CA, DC=jinnpina, DC=com, DC=cn
NotAfter           : 4/30/2014 11:33:24 AM
NotBefore          : 4/30/2012 11:33:24 AM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 53780A82000000000010
Services           : None
Status             : Valid
Subject            : CN=webmail.jpe.cc, O=JPE, L=Zhuhai, S=Zhuhai, C=CN
Thumbprint         : FAEDA25541860CB25EACDF5A4F3A049C0FEE2CF6
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08602, S08602.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08602
NotAfter           : 11/5/2012 1:59:48 PM
NotBefore          : 11/5/2011 1:59:48 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : DDD9A6071F0306BA4797AD234462CDBD
Services           : SMTP
Status             : Invalid
Subject            : CN=S08602
Thumbprint         : 4AF4E76CBBBF025B227E94237982B51931FE8E6A

[PS] C:\Windows\system32>
回复
举报
opop
高级工程师
只看该作者 11楼  发表于: 2013-09-10
回 达佰仕 的帖子
达佰仕:edge上运行的结果如下:
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl
.......(2013-09-10 14:36)嬀/color]

从edge上的结果来看,第二张证书过期了,所以报错12014。在edge上执行下列命令即可renew该证书:

Get-ExchangeCertificate -Thumbprint FAEDA25541860CB25EACDF5A4F3A049C0FEE2CF6 | New-ExchangeCertificate
回复
举报
达佰仕
技术学徒
只看该作者 12楼  发表于: 2013-09-13
更新证书后是即可生效还是要重启机器 ?谢谢!
回复
举报
opop
高级工程师
只看该作者 13楼  发表于: 2013-09-13
回 达佰仕 的帖子
达佰仕:更新证书后是即可生效还是要重启机器 ?谢谢!(2013-09-13 10:57)嬀/color]

重启一下 传输服务
回复
举报
达佰仕
技术学徒
只看该作者 14楼  发表于: 2013-09-13

更新证书重启mailbox 跟edgs后外网邮件收发不了,出现了以下错误提示:
错误ID:1005
The EdgeSync credential cn=ESRA.S08602.S08622.0,CN=Services,CN=Configuration,CN={104D00FF-8BD9-4AB5-A56A-A315CF554384} could not be decrypted by using the certificate with thumbprint 030F881D038B58C67ABB810B45AA5FCFA6B50020. The exception is Bad Data.
. To resolve this problem, unsubscribe and resubscribe your Edge Transport server.

The EdgeSync credential cn=ESRA.S08602.S08622.1,CN=Services,CN=Configuration,CN={104D00FF-8BD9-4AB5-A56A-A315CF554384} could not be decrypted by using the certificate with thumbprint 030F881D038B58C67ABB810B45AA5FCFA6B50020. The exception is Bad Data.
. To resolve this problem, unsubscribe and resubscribe your Edge Transport server.
错误ID12014
Microsoft Exchange couldn't find a certificate that contains the domain name S08602.jinnpina.com.cn in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector edgesync - inbound to default-first-site-name with a FQDN parameter of S08602.jinnpina.com.cn. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
回复
举报
达佰仕
技术学徒
只看该作者 15楼  发表于: 2013-09-14
1.现在的情况是,在Edge上更新了证书Get-ExchangeCertificate -Thumbprint FAEDA25541860CB25EACDF5A4F3A049C0FEE2CF6 | New-ExchangeCertificate 后
把Edge的证书 New-EdgeSubscription生成XML文件

2.再到mailbox上把之前的订阅删除,新建边缘订阅 (然后把mailbox跟edge重启)邮箱收发属正常,但Edge上还报ID12014错误。

3.Edge上报ID12014错误,(mailbox上已经没有报证书错误了)
Microsoft Exchange couldn't find a certificate that contains the domain name S08602.jinnpina.com.cn in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector edgesync - inbound to default-first-site-name with a FQDN parameter of S08602.jinnpina.com.cn. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
4.mailbox上新的边缘订阅状态好像一直是重试的状态

5.现在mailbox跟edge的证书信息如下:

mailbox 的证书信息
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.jpe.cc, S08622.jinnpina.com.cn, S08622, autodisco
                     ver.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=jinnpina-S08603-CA, DC=jinnpina, DC=com, DC=cn
NotAfter           : 4/30/2014 11:33:24 AM
NotBefore          : 4/30/2012 11:33:24 AM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 53780A82000000000010
Services           : IMAP, POP, UM, IIS, SMTP
Status             : Valid
Subject            : CN=webmail.jpe.cc, O=JPE, L=Zhuhai, S=Zhuhai, C=CN
Thumbprint         : FAEDA25541860CB25EACDF5A4F3A049C0FEE2CF6
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08622, S08622.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08622
NotAfter           : 11/23/2012 2:27:54 AM
NotBefore          : 11/23/2011 2:27:54 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 693F54FBE4538BA74B126459921E7766
Services           : UM, SMTP
Status             : DateInvalid
Subject            : CN=S08622
Thumbprint         : 725C0BAC45D055E87E7D54B1695C77E4E0CFE979
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08622, S08622.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08622
NotAfter           : 11/22/2012 1:30:37 AM
NotBefore          : 11/22/2011 1:30:37 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 2A5A932A0B8DF180465DDE7AD9F51CA1
Services           : UM, SMTP
Status             : DateInvalid
Subject            : CN=S08622
Thumbprint         : 059A748E1A4F381BBA4AE08A4A62E546EF2DE16F
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08622, S08622.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08622
NotAfter           : 11/19/2012 1:33:51 AM
NotBefore          : 11/19/2011 1:33:51 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 3D088E4EF94CCE944868DC116F4A1B1E
Services           : UM, SMTP
Status             : Invalid
Subject            : CN=S08622
Thumbprint         : E18D507584D1BB5EB6124B23B9912801D3EAFB4E
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08622, S08622.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08622
NotAfter           : 11/18/2012 3:20:34 AM
NotBefore          : 11/18/2011 3:20:34 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : A7D245633412D3BE408A9DC74FE2C276
Services           : UM, SMTP
Status             : DateInvalid
Subject            : CN=S08622
Thumbprint         : F137FC3A894F5B918978D182668CD2E60DF96471
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {s08612.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=jinnpina-S08603-CA, DC=jinnpina, DC=com, DC=cn
NotAfter           : 11/4/2013 7:07:08 PM
NotBefore          : 11/5/2011 7:07:08 PM
PublicKeySize      : 1024
RootCAType         : Enterprise
SerialNumber       : 4E8F335B000000000005
Services           : None
Status             : Valid
Subject            : CN=s08612.jinnpina.com.cn, OU=jpe, O=jpe, L=zh, S=gd, C=CN
Thumbprint         : B2EED7A82B03C2D92105751646A7F9E0E18ED612
[PS] C:\Windows\system32>

Edge上的证书信息
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.jpe.cc, S08622.jinnpina.com.cn, S08622, autodisco
                     ver.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : C=CN, S=Zhuhai, L=Zhuhai, O=JPE, CN=webmail.jpe.cc
NotAfter           : 9/13/2014 3:28:12 PM
NotBefore          : 9/13/2013 3:28:12 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : A314B9CBC567A9AE4B85D7065B26B4A2
Services           : SMTP
Status             : Valid
Subject            : C=CN, S=Zhuhai, L=Zhuhai, O=JPE, CN=webmail.jpe.cc
Thumbprint         : 030F881D038B58C67ABB810B45AA5FCFA6B50020
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.jpe.cc, S08622.jinnpina.com.cn, S08622, autodisco
                     ver.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=jinnpina-S08603-CA, DC=jinnpina, DC=com, DC=cn
NotAfter           : 4/30/2014 11:33:24 AM
NotBefore          : 4/30/2012 11:33:24 AM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 53780A82000000000010
Services           : None
Status             : Valid
Subject            : CN=webmail.jpe.cc, O=JPE, L=Zhuhai, S=Zhuhai, C=CN
Thumbprint         : FAEDA25541860CB25EACDF5A4F3A049C0FEE2CF6
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08602, S08602.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08602

请给出详细的操作步骤,或者加我QQ 595225937以便好处理,万分感谢!
回复
举报
达佰仕
技术学徒
只看该作者 16楼  发表于: 2013-09-16
已经三十几个小时了,管理员人呢。继续在线等待高手出现!!!
回复
举报
opop
高级工程师
只看该作者 17楼  发表于: 2013-09-16
回 达佰仕 的帖子
达佰仕:1.现在的情况是,在Edge上更新了证书Get-ExchangeCertificate -Thumbprint FAEDA25541860CB25EACDF5A4F3A049C0FEE2CF6 | New-ExchangeCertificate 后
把Edge的证书 New-EdgeSubscription生成XML文件
[图片]
2.再到mailbox上把之前的订阅删除,新建边缘订阅 (然后把m .. (2013-09-14 09:56) 

抱歉上次给的命令中复制错了Thumbprint导致renew的是第一张证书而不是我们要的第二张。需要再次执行下列命令以renew那张CertificateDomains里面包含S08602的证书。

Get-ExchangeCertificate -Thumbprint 4AF4E76CBBBF025B227E94237982B51931FE8E6A | New-ExchangeCertificate
回复
举报
达佰仕
技术学徒
只看该作者 18楼  发表于: 2013-09-16
在Edge上更新 Get-ExchangeCertificate -Thumbprint 4AF4E76CBBBF025B227E94237982B51931FE8E6A | New-ExchangeCertificate  证书后要不要在mailbox新建边缘订阅 ?谢谢!
回复
举报
opop
高级工程师
只看该作者 19楼  发表于: 2013-09-16
回 达佰仕 的帖子
达佰仕:在Edge上更新 Get-ExchangeCertificate -Thumbprint 4AF4E76CBBBF025B227E94237982B51931FE8E6A | New-ExchangeCertificate证书后要不要在mailbox新建边缘订阅 ?谢谢!(2013-09-16 15:36)嬀/color]

更新完证书之后应该需要重新进行边缘订阅已更新AD中的证书状态。

记得更新完证书之后,执行Get-ExchangeCertificate |fl,确保新的那张证书CertificateDomains里面有S08602, S08602.jinnpina.com.cn,并且Services后面显示有SMTP。然后再重新进行边缘订阅。

参考:
http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2007/ManagementAdministration/HowtorenewtheExchangeEdgeServerSMTPcertificate.html
回复
举报
发帖 回复
返回列表
123
快速回复
限60 字节
 
上一个 下一个