Microsoft Exchange admin portal blocked by expired SSL certificate

Microsoft Exchange

The Microsoft Exchange admin portal is currently inaccessible from some browsers after Microsoft forgot to renew the SSL certificate for the website.

Starting at 8 AM EST today, Microsoft Exchange admins who attempted to access the admin portal at suddenly found that their browsers were issuing warnings that the connection was not private due to an expired SSL certificate.

Depending on the browser, users are blocked from accessing the site as a security precaution or shown an alert that the data may not be secure. For example, Google Chrome will stop you from accessing the site altogether, while Firefox will warn you about the insecure connection.

Google Chrome blocking access to
Google Chrome blocking access to

According to Qualys’ SSL Labs, the certificate expired today, Sun, 23 May 2021, at 12:00:00 UTC. For those on the east coast of the United States, that is is equivalent to Sun, 23 May 2021 08:00:00 EST.

Expired SSL certificate for
Expired SSL certificate for

Microsoft states that they are aware of the issue and are working on a fix.

As a temporary workaround, Microsoft states you can access the admin portal from the URL as well.

Unfortunately, outages caused by expired certificates are becoming all too common as almost all online services have now switched over to secure connections.

With encrypted communications come additional complexity and human error, such as forgetting to renew an SSL certificate.

In August 2020, an expired certificate for California’s CalREDIE infectious disease reporting system led to an underreporting of COVID-19 cases in the state as data was prevented from being uploaded.

We have also seen expired SSL certificates affecting consumer-facing services, such as SpotifyMicrosoft Teams, and Facebook’s Tor server.

BleepingComputer has reached out to Microsoft to learn more about when they expect the SSL certificate to be renewed but has not heard back at this time.

Update 5/24/21 08:10 AM EST: Microsoft states they resolved the issue yesterday afternoon and released the following final status:

We’ve completed applying the configuration fix on the affected authentication component, and after monitoring service telemetry, we confirmed that the issue is now fully resolved.

Thx to David for the tip!