| EDIT |
| This issue is described in KB2971270 and is fixed in CU6. |
I ran a couple of times in this error. After applying changes to SSL certificates (add, replace or delete a SSL certificate) and rebooting the server, the event log is flooded with events from source “HttpEvent” and event id 15021. The message says:
An error occurred while using SSL configuration for endpoint 0.0.0.0:444. The error status code is contained within the returned data.
If you try to access the Exchange Control Panel (ECP) or Outlook Web Access (OWA), you will get a blank website. To solve this issue, open up an elevated command prompt on your Exchange 2013 server.
C:\windows\system32>netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 1ec7413b4fb1782b4b40868d967161d29154fd7f
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 0.0.0.0:444
Certificate Hash : a80c9de605a1525cd252c250495b459f06ed2ec1
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 0.0.0.0:8172
Certificate Hash : 09093ca95154929df92f1bee395b2670a1036a06
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
IP:port : 127.0.0.1:443
Certificate Hash : 1ec7413b4fb1782b4b40868d967161d29154fd7f
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : DisabledCheck the certificate hash and appliaction ID for 0.0.0.0:443, 0.0.0.0:444 and 127.0.0.1:443. You will notice, that the application ID for this three entries is the same, but the certificate hash for 0.0.0.0:444 differs from the other two entries. And that’s the point. Remove the certificate for 0.0.0.0:444.
C:\windows\system32>netsh http delete sslcert ipport=0.0.0.0:444 SSL Certificate successfully deleted
Now add it again with the correct certificate hash and application ID.
C:\windows\system32>netsh http add sslcert ipport=0.0.0.0:444 certhash=1ec7413b4fb1782b4b40868d967161d29154fd7f appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}"
SSL Certificate successfully addedThat’s it. Reboot the Exchange 2013 server and everything should be up and running again.
Feel free to follow him on Twitter and/ or leave a comment.
- Veeam B&R backup failes with “No scale-out repository extents are available” - February 24, 2021
- WatchGuard Network Security Essentials Exam - January 19, 2021
- VCAP-DCV Design 2021 – Objective 1.1 Gather and analyze business requirements - January 5, 2021
thanks for the post, but in the last step u add sslcert with defined hash (which is not the same hash too) from where do u get this hash??
Sorry, an incorrect copy & paste action. I corrected the corrosponding line.
Thank you!
Thank You.. :)
very nice article..
Thank you so much. Saved me from a lot of angry people! Now I just wish Microsoft updates would stop breaking things…
Thank you so so so much for this – you rock man!! Saved my Job!!!
Thank you for your feedback. :)
Great article – thanks heaps
Thank you! :)
Thank you so much! Very easy steps to follow and the exact same problem. FIXED!!!!
Thanks man, save my day. You know the reason why is this happened?
Great tip. Got Exchange back online. Come On Microsoft Updates!!!
Thank you! I had suspected SSL, but they all looked in good shape in IIS!
Thank you so much!!! I hade the same problem with an Exchange 2019.
Hi Ulf, glad that it worked for you. Thank you for your feedback! :)
Thanks so much.
After installing Exch2013 CU22, the backend bindings had lost the cert.
This post lead me to the answer.
Thanks, spent a weekend on this!
Thank you! Got this error after renewing certificates on 2013 and you’re answer was just what i need.
Have a good one!
Man, this saved my weekend. Thanks so much for this guide. Any idea what triggers this error? We didn’t change any certs or install updates lately.
Great to hear that! :) I really don‘t know why this happens. But I see this error from time to time in different deployments, but mainly after certificate changes or CUs.
Spot on !
Thanx
Thanks, fixed the issue! Issue was probably caused by renewing the Exchange certificate.
Thanks! Also solved a problem that occurred for us after demoting some domain controllers. Not sure why that would have have anything to do with the cert but this save me hours of scratching my head.
Thank you! This saved my day. I guess this was caused by certificate renewal in our case as well.
Bingo! Thanks for the tip. Port 444 had no cert assigned. Was working fine for months until I did some maint and rebooted it today.
Amazing fix, thank you. Although as an IT person I am fond of the full reboot where possible, ** I actaully found a simple “iisreset” was sufficient in this case **
Thank you, 4 years later this is still an issue when updates are applied! Great article!
Thank you very much! You really saved my ass from many angry users.
Thank you very much for this article.
You are a hero!!!
In our case, we renewed our certificate a month ago but had not restarted, so it was still running on the old cert. After rebooting, we lost EMS and ECP, and clients lost Outlook connection.
The flood of evt 15021 gave us the clue.
again, thankyouthankyouthankyou!!!
Amazing Fix, Sunday 7 pm…and You the first hit and the immediate solution, thank you!!!
You rock dude!!! This saved me from a bad day!!! Thanks man!!
still saving exchange administrators in covid 2020. thanks mate. saved me hours from having to uninstall and reinstall the exchange box.
Just happened to one of our Exchange Server 2016 mailbox servers on CU15 after patch Tuesday. Clearly the bug still exists, but your fix worked! Thanks!
Thank you so much. You saved my day too. Greetings from Amsterdam.
excellent post
Thx Patrick! saved my day!!!
Thanks, Fixed my issue after a Windows Update on Server 2012r2 and Exchange 2013 cu 20 in August 2020.
Nice and easy to understand
Cheers
Thank you. Fixed our issues after critical OS updates W2012R2.
=)
Amazing, saved me
thank’s you save my days and my brain :)
Thank you very much, this saved my bacon!
Excellent fix! Vintage save by IT department!
Count me in with the growing list of eternally grateful sysadmins!
Thanks you so much for publishing this still-useful fix that saved me countless hours and lots of frustration.
Thank you so much for this fix.
You saved us.
HOLY COW! WORKED INSTANTLY! TY!
Thank you sooooo much! Worked perfectly!
Dude I owe your a Beer and a Steak Dinner. Save me big time!
The same occurred after tonight updates. Thank you!