I am currently running an Exchange 2013 server (15.0 1178.4) with multiple accepted domains and the issue is that i have one SSL certificate installed which is valid but there is only the primary domain with the autodiscover and mail names listed in it.
Therefore I experience Outlook SSL warnings that the autodiscover.domain.tld is not listed in the certificate.
I have already tried multiple things as like using the SRV DNS Record method which looks like that:
_autodiscover._tcp 300 SRV 10 0 443 ex13.primary-domain.tld.
_autodiscover._tcp 300 SRV 0 5 443 ex13.primary-domain.tld.
autodiscover.domain.tld CNAME ex13.primary-domain.tld.
Those records make it possible for Outlook to determine all of the settings but after setting an account up and having it running for a few minutes there is a popup which shows the SSL warning as stated above.
Since I have about 30 domains running on it and I don't really want to get a SAN/MultiDomain Certificate I'd like to know if there is a other solution for that.
Would the Lets Encrypt SAN feature maybe work for such a setup?
Best Answer
SRV record or HTTP redirect is the way to go here.
For the SRV record, you need to ensure that Autodiscover.example.com does NOT resolve. That will mean checking there is no wildcard in the domain, the A record or CNAME doesn't exist etc. It is certainly possible to run a large number of domains on a single certificate, as long as you are aware of the limitations.
You also need to check the web hosts haven't got Autodiscover enabled, as the first thing Outlook checks is https://example.com/Autodiscover/Autodiscover.xml (ie the root of the domain) which can also get in the way.
HTTP redirect can sometimes be easier to implement. It will require a separate web site which then redirects to the HTTPS version. That is often used where for various reasons the wildcard cannot be removed from the domain.