Cert Hostname DOES NOT VERIFY, certificate let's encrypt exchange 2016 cu 21.

Question

Practicing with the certificates, in let's encrypt win-acme normal is created, works owa, imap autodiscover with SSL.

Testing with checktls, it gives me an alert message :

Cert Hostname DOES NOT VERIFY ,

(mail.contoso.com != mail | DNS:mail | DNS:mail.lan.contoso.com)

In this forum they mention something of the error.

Recommendations of this forum, my dns settings :

Private AD DNS (lan.contoso.com)

--------------------------------

Record Type	DNS Name	Internal IP
A	mail.lan.contoso.com	192.168.1.4
A	DC01.lan.contoso.com	192.168.1.3

Private DNS (contoso.com) SPLIT

-------------------------------

Record Type	DNS Name	Internal IP
A	mail.contoso.com	192.168.1.4
A	autodiscover.contoso.com	192.168.1.4

Public DNS (contoso.com)

------------------------

Record Type	DNS Name	Value
A	mail.contoso.com	xxx.xxx.xxx.xxx
A	autodiscover.contoso.com	xxx.xxx.xxx.xxx
MX	@	mail.contoso.com

The certificate is for the public domain, but the smtp sends me a response from the private AD domain and not from the split domain equal to the public domain.
What am I forgetting to configure, by the way the PTR record is already registered by the ISP.

Answer 1

After much testing, I understand some of the error message in CheckTls. It is the certificate used by the Exchange reception connector.
I retest in CheckTls and passed the entire test without errors.

Thanks for the advice @Yuki Sun-MSFT , I will continue to practice .

----------

I share my solution with you, I hope it helps others with this problem.

I do not know if it is a good procedure, the solution that I am using
Use the following Microsoft documentation for reference.

1. Verify the Let's Encrypt certificate is created and services enabled Get-ExchangeCertificate | Format-List FriendlyName,Thumbprint,Issuer,Subject,CertificateDomains,Services
2. Identify the reception connector to assign, I was more focused on anonymous users Get-ReceiveConnector | where {$_.Bindings -like '*25' -AND $_.PermissionGroups -like '*AnonymousUsers*'} | Format-List Identity,Bindings,RemoteIPRanges,PermissionGroups
3. Having identified the connector, I proceed to assign the certificate $cert = Get-ExchangeCertificate -Thumbprint xxxxxxxx $tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)" Set-ReceiveConnector "Server_Name\Default Frontend Server_Name" -TlsCertificateName $tlscertificatename
4. Verify if the certificate was assigned to the reception connector Get-ReceiveConnector -Identity "Server_Name\Default Frontend Server_Name" | Format-List Name,Fqdn,TlsCertificateName

Answer 2

Hi @Luis Alberto ,

Aside from the alert message, is it causing real problems like messages cannot be sent or received? If yes, is there any clues in the undeliverable message?

Besides, noticed that as mentioned in the last article about internal dns settings you shared above, the recommended internal dns records are slightly different in the DNS Name fields as yours:

Record Type              DNS Name                     Internal IP  
      A                mail.contoso.com                    192.168.1.3  
      A                autodiscover.contoso.com      192.168.1.3  

So I'd suggest checking it from your side and update the internal settings in the split domain to see how it goes.

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.