[求助]Exchange 2007 边缘出现证书错误 ID 12014 12015 [复制链接]

边缘的错误
ID12014 提示
Microsoft Exchange couldn't find a certificate that contains the domain name S08602.test.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector edgesync - default-first-site-name to internet with a FQDN parameter of S08602.test.cn. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

ID12015提示
An internal transport certificate expired. Thumbprint:4AF4E76CBBBF025B227E94237982B51931FE8E6A

下面这条是邮件服务器的错误
The remote internal transport certificate expired. Certificate subject: CN=S08602.

邮件有时候收发不正常，请教各位高手！

这个报错应该是边缘服务器上的SMTP服务上绑定的证书过期了导致的。

执行下列命令并将结果贴出来看看：

Get-ExchangeCertificate |fl

运行命令后结果如下：

图片:QQ图片20130816092038.jpg

达佰仕:运行命令后结果如下：
[图片](2013-08-16 09:19)嬀/color]

这说明edge上没有证书。

建议到HUB和Mailbox服务器上分别执行该命令，并将结果贴出来看看。

主要是找到Thumbprint为4AF4E76CBBBF025B227E94237982B51931FE8E6A的证书是哪一张。

是哪条命令呢？

达佰仕:是哪条命令呢？(2013-08-22 10:58)嬀/color]

Get-ExchangeCertificate |fl

执行后出现的错误提示：
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl
Get-ExchangeCertificate : Unable to create Internet Information Services (IIS)
directory entry. Error message is: Access is denied.
. HResult = -2147024891.
At line:1 char:24
+ Get-ExchangeCertificate <<<<  |fl
    + CategoryInfo          : NotSpecified: (0:Int32) [Get-ExchangeCertificate
   ], IISGeneralCOMException
    + FullyQualifiedErrorId : DDE7F5A4,Microsoft.Exchange.Management.SystemCon
   figurationTasks.GetExchangeCertificate

达佰仕:执行后出现的错误提示：
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl
Get-ExchangeCertificate : Unable to create Internet Information Services (IIS)
directory entry. Error message is: Access is denied.
. HResult = -2147024891.
.......(2013-08-31 14:59)嬀/color]

账号权限不对。建议打开Exchange命令行管理工具的时候，右键点击，然后选择Run as Administrator，然后再次尝试。

运行的结果如下：
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.jpe.cc, S08622.jinnpina.com.cn, S08622, autodisco
                     ver.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=jinnpina-S08603-CA, DC=jinnpina, DC=com, DC=cn
NotAfter           : 4/30/2014 11:33:24 AM
NotBefore          : 4/30/2012 11:33:24 AM
PublicKeySize      : 2048
RootCAType         : Enterprise
SerialNumber       : 53780A82000000000010
Services           : IMAP, POP, UM, IIS, SMTP
Status             : Valid
Subject            : CN=webmail.jpe.cc, O=JPE, L=Zhuhai, S=Zhuhai, C=CN
Thumbprint         : FAEDA25541860CB25EACDF5A4F3A049C0FEE2CF6

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08622, S08622.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08622
NotAfter           : 11/23/2012 2:27:54 AM
NotBefore          : 11/23/2011 2:27:54 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 693F54FBE4538BA74B126459921E7766
Services           : UM, SMTP
Status             : DateInvalid
Subject            : CN=S08622
Thumbprint         : 725C0BAC45D055E87E7D54B1695C77E4E0CFE979

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08622, S08622.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08622
NotAfter           : 11/22/2012 1:30:37 AM
NotBefore          : 11/22/2011 1:30:37 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 2A5A932A0B8DF180465DDE7AD9F51CA1
Services           : UM, SMTP
Status             : DateInvalid
Subject            : CN=S08622
Thumbprint         : 059A748E1A4F381BBA4AE08A4A62E546EF2DE16F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08622, S08622.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08622
NotAfter           : 11/19/2012 1:33:51 AM
NotBefore          : 11/19/2011 1:33:51 AM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 3D088E4EF94CCE944868DC116F4A1B1E
Services           : UM, SMTP
Status             : Invalid
Subject            : CN=S08622
Thumbprint         : E18D507584D1BB5EB6124B23B9912801D3EAFB4E

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {S08622, S08622.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=S08622
NotAfter           : 11/18/2012 3:20:34 AM
NotBefore          : 11/18/2011 3:20:34 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : A7D245633412D3BE408A9DC74FE2C276
Services           : UM, SMTP
Status             : DateInvalid
Subject            : CN=S08622
Thumbprint         : F137FC3A894F5B918978D182668CD2E60DF96471

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {s08612.jinnpina.com.cn}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=jinnpina-S08603-CA, DC=jinnpina, DC=com, DC=cn
NotAfter           : 11/4/2013 7:07:08 PM
NotBefore          : 11/5/2011 7:07:08 PM
PublicKeySize      : 1024
RootCAType         : Enterprise
SerialNumber       : 4E8F335B000000000005
Services           : None
Status             : Valid
Subject            : CN=s08612.jinnpina.com.cn, OU=jpe, O=jpe, L=zh, S=gd, C=CN
Thumbprint         : B2EED7A82B03C2D92105751646A7F9E0E18ED612



[PS] C:\Windows\system32>

达佰仕:运行的结果如下：
[PS] C:\Windows\system32>Get-ExchangeCertificate |fl
AccessRules: {System.Security.AccessControl.CryptoKeyAccessRule, System
.......(2013-09-09 15:34)嬀/color]

HUB上的证书是正常的，如果edge上Get-ExchangeCertificate |fl 还是没有返回结果的话，你需要在Edge服务器上新建一张证书，包含12014报错里面提到的S08602.test.com，并作用在SMTP服务上，然后需要重新订阅Edge服务以更新AD里面的证书信息。

参考：http://technet.microsoft.com/en-us/library/bb218165(v=exchg.80).aspx