I’m looking for some help with errors in the event log of our Exchange 2013 server. OS is 2012 R1. All three DCs are 2012 R2. We do not encrypt email and used –DoNotRequireSSL on cert commands. I’ve scoured the Internet and other forums but haven’t found an answer.
Schannel Error 36887 - A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.
The frequent Schannel errors go back as far as the event viewer’s start date (2 weeks) so I’m not sure how, why and when they began but they’re occurring too often to ignore. As far as we know everything is operational but the errors weren’t always there so something changed, and it could have been during the recent CA certificate renewal process. It could also be due to the fact there are two nearly identical self-signed certs, one with IIS,SMTP and one with only SMTP. I know from the SmtpReceive logs that the thumbprint being used by SMTP is the one that begins in BD0. Are the errors caused by IIS not assigned to this cert (see screen shots)? The Schannel error with code 46 specifically means TLS1_ALERT_CERTIFICATE_UNKNOWN.
When I use the Enable-ExchangeCertificate on the BD0 cert and assign it the IIS,SMTP services then IIS is ripped from the CA cert (thumbprint D18) services and certificate errors appear on Outlook clients.
What would happen if I delete either the BD0 or 570 cert? It seems like I need to get rid of one of these while not breaking everything. Again, all appears to be fully functional so I’m proceeding with caution to say the least.
Any thoughts or ideas are appreciated. Thanks in advance.