This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 24%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
hi
I have an on premise exchange server with server 2019 and exchange 2019, have renewed the certificate and assigned to receive connectors, making a new self signed certificate and again assign it to receive connectors , right now its on the renewed prebuilt certificate that exchange created but I still cant get the TLS running and get the 12014 error!
searching all over internet, what can be wrong? i would appreciate if anyone could help
exchange Version 15.2 (Build 986.5)
Microsoft Exchange could not find a certificate that contains the domain name <I>CN=mail.name.com<S>CN=mail.name.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector web-relay with a FQDN parameter of <I>CN=mail.name.com<S>CN=mail.name.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
Do you have a valid cert with a subject name of mail.name.com and assigned to SMTP installed on the server?
yes , and right now it is the default certificate installed with exchange
it is enabled for use in smtp and assigned exact FQDN that is assigned in all receive connectors and is the FQDN of the server mail.name.com
i used this method to assign certificate to receive connectors:
https://practical365.com/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/
Did you restart the Transport service?
What were the exact steps you used for renew the cert?
What does protocol logging show for the connectors?
2022-02-28T23:35:17.301Z,mail\Default Frontend MAIL,08D9FB08F81C3CC2,1,192.168.1.232:25,206.83.40.12:56092,>,"220 mail.name.com Microsoft ESMTP MAIL Service ready at Tue, 1 Mar 2022 03:05:16 +0000",
2022-02-28T23:35:21.137Z,mail\Default Frontend MAIL,08D9FB08F81C3CC2,2,192.168.1.232:25,206.83.40.12:56092,<,ehlo,
2022-02-28T23:35:21.137Z,mail\Default Frontend MAIL,08D9FB08F81C3CC2,3,192.168.1.232:25,206.83.40.12:56092,>,250 mail.name.com Hello [206.83.40.12] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING SMTPUTF8 XRDST,
i think its all I can find!
apparently the tls was not working from the beginning! I renew the default certificate from the ecp and make a new one also but the result were all the same, server is already working but for some application we need this tls to work
You dont seen anything in the logs showing the cert or STARTTLS?
Is TLS enabled on that receive connector?
yes I don't have the STARTTLS because of the 12014 error!
in the default frontend mail that I post its log the TLS is enabled
in the event viewer I have 12014 error as in the last post log time
it was the self signed certificate within the exchange, shouldn`t it be trusted if I use the process of making new certificate with the exchange?
so I managed to make STARTTLS running, the certificate in the personal certificate was not trusted so i copy that to the trusted root certification authorities and the error is gone and in ehlo request i can see the STARTTLS
Ok, so the cert wasnt a third party cert or internal CA? that makes sense then
Glad you got it working.
So that others can see:
Make sure the certificate is trusted by the server!
Yes, typically that will ensure its in the personal and Trusted root, so not sure why it didnt in your case.
Maybe first need to restart the transportation service