Exchange 2013: Expired certificates and Service Pack 1 (Caution!)

When installing Service Pack 1 for Exchange 2013, a nasty error can occur under certain circumstances. This is caused by expired certificates that are used by Exchange services. A reader pointed out the problem to me and I was able to reproduce it in a test environment. Here are the details:

When checking the prerequisites, everything is still OK, no warnings or errors are displayed:

The installation starts and aborts at step 10 of 18 with the following error message:

In the SP1 setup window, you can only click on "Exit" to return to the Windows desktop. The error message already indicates that a certificate has expired. The really nasty thing is that neither the Exchange Admin Center (EAC) nor the Exchange Management Shell (EMS) start after the failed update.

The EMS displays the following error message:

EXECUTIVE: Connection to EX1.frankysweb.local is established.
New-PSSession : [ex1.frankysweb.local] The following error occurred when connecting to the remote server "ex1.frankysweb.local"
occurred: The WinRM client cannot process the request. The content type of the HTTP response from the target computer
cannot be determined. The content type is missing or invalid. Further information can be found in the help topic
"about_Remote_Troubleshooting".
In line:1 Character:1
+ New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
gTransportException
+ FullyQualifiedErrorId : -2144108297,PSSessionOpenFailed

EAC only displays an IIS error message:

Runtime error
Description: Application error on the server. Due to the current custom error settings for this application, the details of the application error cannot be displayed remotely (for security reasons). However, they can be displayed by browsers running on the local server.
Details: You can display the details of this error message on the local computer by creating a tag in the configuration file web.config, which is located in the root directory of the current web application. The mode attribute of this tag should then be set to "Off".
Runtime error
Description: Application error on the server. Due to the current custom error settings for this application, the details of the application error cannot be displayed remotely (for security reasons). However, they can be displayed by browsers running on the local server.
Details: You can display the details of this error message on the local computer by creating a tag in the configuration file web.config, which is located in the root directory of the current web application. The mode attribute of this tag should then be set to "Off".

I was able to reproduce this problem in a VM where the certificate assigned to the Exchange services had expired. The only problem is: How do you change the certificate without EAC or EMS?

The easiest way is probably to simply delete the certificate, as it has expired anyway. The certificate can be removed via MMC:

To delete the certificate, add the "Certificates" snap-in to the MMC and connect it to the local computer. The corresponding certificates are then displayed under "My certificates". The certificate that has expired can be identified here. In my test environment, these are all certificates, but only the highlighted one is assigned to the Exchange services.

After the certificate has been deleted, the Exchange 2013 Service Pack 1 setup must be restarted. The setup recognizes an incomplete installation and continues the setup:

,

Now the setup is also running. EAC and EMS start again. After the setup, a new certificate must be issued for the Exchange services. I have described here how a certificate can be issued by an internal CA for Exchange 2013:

https://www.frankysweb.de/exchange-2013-san-zertifikat-und-interne-zertifizierungsstelle-ca/

Before installing SP1 for Exchange 2013, you should check whether all certificates are valid.