As you would probably imagine, I run several lab environments to test, play, break different things throughout my day-to-day work, and to keep these working smoothly I use Let’s Encrypt SSL certificates to provide reliable, and most importantly FREE, SSL certificates for my environment. These only last for 3 months so I am updating my Exchange certificates quite regularly and have run across this problem more than once, and forgotten the fix each time, so I’m writing this as a reminder to myself and hopefully a useful tip for anyone else out there who might run into this issue and not already know the fix.
This issue is caused when you update the SSL certificates from the Exchange Control Panel (ECP). This previously (in my experience of Exchange 2013) was simple enough, update the certificate and the enabled services within the ECP to the new certificate, restart IIS on your Exchange Server, and away you go. But I am repeatedly getting an issue with Exchange 2016 where this actually makes my server unusable until I take action to fix it.
The symptoms of the problem are immediately apparent within ECP which, after logging in to the login page, which displays as normal, I just get a blank page. My next troubleshooting step is normally to go to PowerShell to look at what might be going on, but the Exchange Management Shell fails to connect to my Exchange Server. Now this is slightly more impacting in my lab environment – where I am only running a single Exchange 2016 server – than in a “normal” organisation where you would (or rather should) never be running just one Exchange server, but having access to the ECP or PowerShell from another server won’t actually help fix your issue.
Instead of looking within Exchange for the issue, you need to go to IIS and check the site settings for your Exchange IIS websites. You will notice that within IIS there are two sites for Microsoft Exchange, one the Default Web Site, with the standard virtual directories you would expect, ECP, OWA etc. Then the other Exchange Back End site which has a lot of duplicate sites plus some additional directories. On the occasions I have seen the issue has come not from the fact I have changed the certificate, but rather that when you update the certificates from the GUI in ECP it does not update the Exchange Back End site certificate bindings.
When you check the bindings of the “Exchange Back End” site (by right clicking the “Exchange Back End” site, and then clicking Edit Bindings) the https (Port 444) binding has a blank or expired certificate (depending on whether you have renewed the certificate yet) and has not been updated to the shiny new certificate you assigned in ECP previously.
From here you can select your new certificate from the drop-down box, click OK and either run IISRESET or restart the site from within IIS Manager, and you should then be able to launch both the ECP and Exchange Management Shell again.