1

I noticed that many domains are failing on Exchange 2013 because of an invalid wildcard certificate on their website.

How can I (at a minimum) scan and test for this type of failure?

Below is the beginning of my script, but am really rusty in Powershell. Does anyone think this is a valid solution, or have a better one?

$ErrorActionPreference = "Stop";

$domains = get-accepteddomain

foreach ($d in $domains)
{
Try
{ 
    $url = "https://$d"   
    $wc = New-Object System.Net.WebClient
    $wc.DownloadString($url) 

}
Catch
{
        $ErrorMessage = $_.Exception.Message
    $FailedItem = $_.Exception.ItemName
        Send-MailMessage -From ExchangeAutodiscover@company.com -To chris@company.Com -Subject "Invalid SSL Certificate" -SmtpServer internalsmtp.nfp.com -Body "We failed to read file $FailedItem. The error message was $ErrorMessage for domain $url"
        Break
}
}
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
  • Just out of curiosity, are you an Exchange hosting provider? – Vick Vega Aug 29 '15 at 20:35
  • @VickVega No, it's a combination of independent firms... like a co-op – makerofthings7 Aug 29 '15 at 22:01
  • Do they all "sit" under the same AD infrastructure? – Vick Vega Aug 30 '15 at 18:06
  • @VickVega Yes, managed by myself - no special multi tenancy options. Most manage their own DNS and have their own workstation AD. (e.g. they pay us a fee to host mailboxes, but not a real multi tenancy, not a real unified company) I added a working solution for my HTTP needs below. will need to test SRV records in DNS as well. – makerofthings7 Aug 30 '15 at 18:31
  • The reason I ask is because using a simple redirection technique you can repoint autodiscover for the particular domain to a redirection website built on IIS, pretty much in the same way Office365 works. This will void any testing scripts, etc. Just an idea. – Vick Vega Aug 30 '15 at 19:13
  • @VickVega not sure I follow, would I need to manage the DNS, IIS or both of the 3rd party companies? – makerofthings7 Aug 30 '15 at 20:39
  • Your client would adjust it's autodiscover.client.com A record to point to your redirect IIS website for Outlook Autodiscovery, such as to redir.yourcompany.com. At the properties of the IIS website, your would redirect it to https://autodiscover.yourcompany.com which achieves the goal of configuring Outlook's autodiscover process to connect to the correct CAS servers. Basically, you would not need any script aside from pinging autodiscover.client.com and validating it's pointing to redir.yourcompany.com. So, the only thing you would "manage" is IIS redirect website. – Vick Vega Aug 30 '15 at 21:07

1 Answers1

1

Here is the script I came up with. I still need a way to easily just get all the active primary SMTP addresses, but this is a start.

#This script tests the naked domain and autodiscover record for issues.
#often times a wildcard cert will cause a name mismatch, or the cert is invalid, expired, or revoked

$ErrorActionPreference = "Stop";

#todo, don't use accepted domains, only use the addresses listed as a primary on  
# a user, because that is the only domain that counts for Autodiscover.
$domains =   "a.com”, “b.com”, “b.com" 

$errors = @{}

foreach ($d2 in $domains)
{
Try
{  
    $url = "https://$d2" 
    $url  
    $wc = New-Object System.Net.WebClient
    $wc.DownloadString($url)  
}
Catch
{
        $ErrorMessage = $_.Exception.Message
        $FailedItem = $_.Exception.ItemName
        $errors.Add($url, $_.Exception.Message)
}

Try
{  
    $url = "https://autodiscover.$d2" 
    $url  
    $wc = New-Object System.Net.WebClient
    $wc.DownloadString($url) 
}
Catch
{
        $ErrorMessage = $_.Exception.Message
        $FailedItem = $_.Exception.ItemName
        $errors.Add($url, $errormessage)
}
}


$sb = New-Object -TypeName "System.Text.StringBuilder";

foreach ($e in $errors.keys) {
    $e2 = $errors.$e

#The remote name could not be resolved
#Could not establish trust relationship 
    $sb.AppendLine("$e had error @ $e2 " ); 
}

Send-MailMessage -From ExchangeAutodiscover@company.com -To chris@company.Com -Subject "Invalid SSL Certificate Report" -SmtpServer internalsmtp.company.com -Body $sb.tostring()
makerofthings7
  • 8,911
  • 34
  • 121
  • 197