There are special requirements for the certificate for Exchange.
It must have a SAN, because it (in the SAN) must have at least two names - org.blabla.bla and autodiscover.blabla.bla. At the same time, if you intend to provide access to OWA from the outside, you will definitely have to buy it (the certificate), otherwise you will not see mail on mobile clients :)
The self-signed certificate must match the name on which the eksch works - how else? and have autodiscover in the SAN. Well, that is, if the office has the domain ktoto.local, and the server has exch.ktoto.local, then the certificate must include the names exch.ktoto.local and autodiscover.ktoto.local. If you also want external access, then the exch should work on the ktoto.ru domain, and accordingly the certificate should include the name autodiscover.ktoto.ru.
Exche certificates are not cheap - from tens of rubles.

1) find out what name the certificate was issued to
2) "translate" Exchange to use FQDN in .ru