Friday, July 17, 2015

Exchange 2013 CU install fails because the certificate is expired

This issue was recently brought up in a community and today I ran into the same issue myself. An Exchange 2013 CU installation is in progress and after Setup removed the existing installation files, it fails while installing the Transport service of the Mailbox role:


The following error was generated when "$error.Clear();
          Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
            Install-AuthCertificate -DomainController $RoleDomainController
        " was run: "System.Security.Cryptography.CryptographicException: The certificate is expired…

Want happens here is quite easy to understand. As part of the CU installation Setup tries to enable the SSL certificate to the IIS service. This fails because the Valid To date on the certificate has passed, the certificate is no longer valid.


Easy, we simply replace the cert right? Well, remember that Exchange already removed the existing install? We have no access to the EMS at this point so we need Setup to finish the install before we can replace the certificate the proper way.

A silly but effective workaround to achieve this goal is to change the system time of the server to a date that falls in the range where the certificate was still valid.

Note: Make sure you (temporarily) disable the time synchronization feature of your hypervisor and the Windows Time service, or else it will change the time back in no time. :)

Now you can restart the CU installation, it will automatically detect the failed attempt and offers to continue the process.


When the CU installation has finished, enable the Windows Time service and/or the time sync feature of your hypervisor and observe the clock moving back to the correct time. Now would be a great time to fire up EMS and replace the SSL certificate with a new one. Reboot the box as best practice after installing a CU anyway and check the health of the server to verify if everything is working as it should.

So if your reading this you probably started your lab servers after a long time, just like I did. If you ran into this issue in a production environment, it's important to investigate why you ran with an expired certificate anyways. And if your certificate has expired, this article shows why you should replace it before you perform any maintenance on the server.

No comments: