Problem - internal exchange clients depending on you environment receive one of the following certificate errors/warnings:
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.
The security certificate has expired or is not yet valid.
The name on the security certificate is invalid or does not match the name of the site.
most probably you will be seeing the last error unless you have some self signed certificate in place, this happens because internal exchange server FQDN differs from external FQDN with the latter defined in the trusted certificate you bought.
Change Autodiscover Service Internal Uri to the external FQDN (make sure it resolves to your exchange CAS server or CAS array)
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://email.domain.com/Autodiscover/Autodiscover.xml
Now Autodiscover service for internal clients will work without certificate errors as long as you have valid certificate for your OWA FQDN.