Hi guys,
Have a 4 node DAG on 2013 (build 1156.6) that has been happily working away for the last couple of years. We have a reverse proxy in front of the Exchange servers that does SSL offloading. From the reverse proxy to the Exchange servers we use internal certificates from our Enterprise CA.
The reverse proxy / public certificate is fine - no changes. However the internal certificates expired on Saturday. I renewed all four of them (within the ECP -> CSR to CA -> Completed renewal in ECP) and service was restored. Initially everything seemed fine, but on Monday it appeared we couldn't get into the ECP. Same for OWA.
Get to the logon page, but after entering valid credentials it loops back round to the sign in page again. In fact it's identical to this KB: https://support.microsoft.com/en-us/help/2779694/unable-to-open-owa,-ecp,-or-ems-after-a-self-signed-certificate-is-removed-from-the-exchange-back-end-website
I have duly ran:
New-ExchangeCertificate -Servername <nameofserver> -FriendlyName <Microsoft Exchange Renewed>
As per the KB and set each servers newly generated certificate as the backend website SSL/444 binding, followed by an IISReset. However this hasn't resolved the issue.
Any suggestions? Can't be a coincidence that we're having this straight after the certificates expired...! As of right now the self-generated Exchange certificates are on their respective Exchange backend websites, with our Internal CA certificate (now renewed!) on the Exchange services (default web site).
Any ideas?!
Thanks - Steve