Tag Archives: SSL

A special Rpc error occurs on server xxxxx These certificates are tagged with following Send Connectors

So our SAN SSL certificate was coming up for renewal and I really wanted to expand what was covered by it to include more devices. In general anything internal was using a self signed certificate and anything external used the SAN SSL. That worked fine but when it came time for renewal I figured why not just get a wildcard SSL and assign it to anything I could. Also would keep me from having to update subject names when there was a change.

So I bought a Wildcard SSL from GoDaddy and started assigning it to everything. Switched out the certificate on our firewall and VPN clients, mail server, web server, etc. Everything seemed to work fine. Then it came time to remove the old one once things were tested. Removing from IIS was fine, removing from the firewalls likewise fine, but removing from Exchange Control Panel gave the error in the title.

Now we do have a Exchange Online Hybrid deployment setup with centralized mail transport. We use a cloud based Barracuda spam/malware filter so all email in and out of the company goes through them then to our internal mail server. Any mailbox on Exchange Online then goes from our mail server to it and back. Well apparently when I set this up it made a send connector to route mail to Exchange Online and since it uses TLS attached the certificate that was currently being used which I was now trying to delete.

Unfortunately you can’t just go into the Send Connector in the ECP and reassign the certificate but you can do it by following some steps based on the Microsoft Set-SendConnector page. First get the list of your send connectors and the list of your certificates:

Get-SendConnector
Get-ExchangeCertificate

Copy the send connector that was in the error message and also the thumbprint for your new certificate. Next we will use that certificate to pull out the information needed to assign to the send connector and assign it:

$cert = Get-ExchangeCertificate -Thumbprint (your thumbprint)
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

Once your send connectors are updated you should be able to remove the old certificate. Also if you are using TLS on your receive connectors you will want to do the exact same thing but using the Set-ReceiveConnector command.

Note: If your new certificate has the exact same subject name then it might not update. You’ll have to remove it first using:

Set-SendConnector -Identity <connector name> -TlsCertificateName $Null

See https://learn.microsoft.com/en-us/exchange/troubleshoot/mailflow/cannot-remove-installed-certificate for more information.

Adding a SSL Certificate to a WorkPlace N4 Web Supervisor

So as a follow up to my post Adding a SSL Certificate to a Vykon AX Web Supervisor the way WorkPlace N4 web supervisors imports a certificate is slightly different. Mainly the key needs to be in a unencrypted RSA format which was tripping me up. So if you need to do this first read that prior post and then the only real change is for exporting out your key use this command:

openssl pkcs12 -in CertExport.pfx -nocerts -nodes -passin pass:YourPassword | openssl rsa -out key.pem

You will find the key will be exported and have a “RSA” tag in the headers now. Follow the same instructions from the other post to make your pem file (key, cert, intermediate, root) and it should import into a N4 supervisor just fine.

Sophos XG Firewall PCI Compliance Woes

Recently I deployed a Sophos XG firewall to replace my very much aging Microsoft Forefront TMG 2010 firewalls. For the most part, after lots of back and forth with Sophos tech support, I got it working correctly for things like Outlook Anywhere, Web and Mobile Access, protecting internal websites, and general web filtering. Everything seemed fine until our monthly PCI compliance scans came along and we failed miserably. TLS 1.0 was enable, HTTP Track/Trace was enabled, and 64 bit cyphers were enabled for each external IP that we were hosting a site on. I contacted Sophos and long story short there is currently no way to fix these through the UI (v16)….all required manually editing the appache httpd file on the box. So here is how to do it.

First telnet into your XG, log in, then go to 5 Device Management then 3 Advance Shell. Type in the following:

# mount -no remount,rw /
# vi /usr/apache/conf/httpd.conf

You should now be able to edit the file. Press “I” once to enter insert mode. Find the SSLCipherSuite line and remove any sections (between the colons) that have 3DES in them. For example the original cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS

Modified cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Now find the SSLProtocol list, usually right below the cyphers and remove support for whichever protocol by adding it with a minus. Here is the original line:

SSLProtocol all -SSLv2 -SSLv3

Modified protocols line:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Lastly for the tracking add a new line under these:

TraceEnable off

Hit ESC then :w and enter to write the file then :q and enter to quit. Then restart the services and mark things what I’m assuming is read only:

# service apache:restart -ds nosync
# service WAF:restart -ds nosync
# mount -no remount,ro /

Keep in mind any Outlook 2010 clients you have in the field might try to connect using TLS 1.0 and will fail with a cryptic proxy server error. You can follow this site to hopefully fix that: https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/

Adding a SSL Certificate to a Vykon AX Web Supervisor

https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcQziKwbi7GguEuqEdyf-zXwY7wcYsKgKJZhO6SxUhQGsfAxK8RR_Q

A couple years ago I helps setup a SSL certificate for a AX Supervisor, a product that is used as a web interface front end to a automation product called a JACE, usually.  The software was installed on a Microsoft Server 2008 R2 system and was serving up the information through a B2B VPN and the other company, even though the traffic was “internal”, requested a SSL.  No biggie I thought, I’ve installed SSLs many times.  So I installed the certificate on the server but the AX software didn’t see it.  I went into the software’s platform and into the Certificate Management section to import a certificate.  It only accepted pem files so I converted my Windows certificate over but it didn’t like that either.  So I started reading the only guide I could find on the subject titled “NiagaraAX SSL Connectivity Guide”.  Ironically it has page after page of how a SSL works and how to generate a self signed certificate then export it out and import it onto all of the computers accessing the system but nothing on importing a existing certificate as a pem file.  Long story short the way a AX Supervisor wants the pem is to have it include the key, the certificate, the intermediate certificate, and the root certificate in that order all in one file.  So for the 9 people in the universe that will actually need to do this sometime in their life and can’t figure it out here is what I had to do.

First I downloaded the Windows 32 bit binaries of OpenSSL ( from https://slproweb.com/products/Win32OpenSSL.html ) and installed them.  I copied my pfx file that I exported out of my server (with key/password) and put it in the same directory as openssl.exe (the bin folder usually).  I opened up a command prompt, navigated to the bin directory, and ran the first command to get my private key:

openssl pkcs12 -in CertExport.pfx -nocerts -nodes -out key.pem

Then another command to export out my certificate:

openssl pkcs12 -in CertExport.pfx -nokeys -out cert.pem

I now needed my intermediate and root certificates which since I was using GoDaddy were downloadable from their site ( https://certs.godaddy.com/repository ).  I imagine its the same for any other certificate authority.  I created a new text file and first took the contents of the key.pem file (minus the headers keeping the begin and end tags) then followed it with the contents of my cert.pem file (again no headers) then, and this is important, followed those with the intermediate then the root.  I saved this as MYFullCert.pem and that imported right in without a issue. I was then able to use that for both the Platform SSL certificate and for the Stations WebService certificate.  Rebooted the server and everything looked good.

Note: This applies to a AX 3.7. I have found the certificate will not import into 3.8 using the same instructions. What does work however is importing it into 3.7 then exporting it out. The exported file appears to have a extra line added which does work on 3.8.