Outlook Web "Not Private" After Ubuntu Update

Using Ubuntu 24.04.2 LTS.

Suddenly, after a recent update of Ubuntu, an attempt to access an Outlook Web site resulted in a Privacy Error that prevents sign in unless the warning is overriden. (See attachment below.) This error occurs on two different browsers, Chrome and Firefox, on my Ubuntu computer and the error does not occur when using any other computer (Windows or Linux Lite). Thanks in advance for any suggestions on how to fix this problem.

Welcome to Ubuntu Discourse :slight_smile:

In a terminal run this command and post the output here please:
curl -v https://mercury.law.nyu.edu

This looks suspiciously like a self signed certificate which would normally be considered invalid, not sure how/why Windows or linux lite would not mark it like that … (but lets see what the curl command returns)

Secure TLS certificates always need to be counter signed by a certificate Authority (CA), Ubuntu ships by default the full list and public keys of CAs so certs can be verified against them, self signed certs simply have not been counter signed by a CA

Thanks for the quick response. Here are the results (after I installed curl):

lobalobo@lobalobo-Ecolite-Series:~$ curl -v https://mercury.law.nyu.edu

  • Host mercury.law.nyu.edu:443 was resolved.
  • IPv6: (none)
  • IPv4: 128.122.159.101
  • Trying 128.122.159.101:443…
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: unable to get local issuer certificate
  • closing connection #0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

And I too was confused by why Ubuntu but not Linux Lite or Windows rejected the certificate, but I’m quite certain that I received no warnings navigating to the site on computers with either Linux Lite or Windows, and I had no trouble on Ubuntu either until an update about a week ago.

sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates

As a first step, let’s try updating the Certificate Authority (CA) certificates on your system.

Run each command above and then try the same curl command again to check if the issue is resolved.

Will try this later today and report back. Thanks so much for the help.

Unfortunately, these steps did not fix the problem. Here is the new report from the curl command:

  • Host mercury.law.nyu.edu:443 was resolved.
  • IPv6: (none)
  • IPv4: 128.122.159.101
  • Trying 128.122.159.101:443…
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: unable to get local issuer certificate
  • closing connection #0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Unfortunately, I am out of ideas for this and I definitely do not want to suggest manual fixes that might compromise security.

Is there an IT department at your school who you can contact?

Tell them there seems to be an issue with the site certificate and ask them to review or fix.

Hopefully, someone here can offer other ways to sort this out.

Afterthought: did you restart the computer after updating the CA certificates?

Checked: I can access the site without security warnings on Ubuntu 24.04.2 using either Firefox or Chromium.

Perhaps @ogra has some suggestions?

Not a lot beyond contacting the server admins, the server does not seem to even send proper CA info:

$ openssl s_client -connect mercury.law.nyu.edu:443

[...]
subject=DC=org, DC=incommon, C=US, ST=New York, O=New York University, CN=mercury.law.nyu.edu
issuer=C=US, O=Internet2, CN=InCommon RSA IGTF Server CA 3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2581 bytes and written 416 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
[...]

This “No client certificate CA names sent” looks mis-configured to me

1 Like

Checked: I can access the site without security warnings on Ubuntu 24.04.2 using either Firefox or Chromium.

How odd is that? Seems every computer with any operating system other than mine can connect to the site, but mine cannot (and that’s having tried two browsers).

[Yes, I believe I restarted the computer after the update, but I’ll try that again next time I’m home with the computer.]

Thanks.

Ogra: Thanks, I will contact my IT department, but not sure what to say inasmuch only this one computer has any difficulty.

On that error page, click on advanced and see what it says

Here is what Advanced says on the error page:

This server could not prove that it is mercury.law.nyu.edu; its security certificate is not trusted by your computer’s operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

So, although rebooting after updating the certificates didn’t help, here is something odd that I discovered: No Error messages when the server is accessed in Incognito mode. Does that give anyone any idea of what’s wrong? More curious than anything else at this point.

Try clearing browser cache, history, and cookies.

Would use the option to delete from all time or forever or whatever it says these days :slight_smile:

1 Like

This would be a great place to start, Why, Error Causes Invalid SSL certificate

  1. Misconfigured redirects
  2. Misconfigured proxy settings
  3. Antivirus or Browser extensions issues
  4. Operating system issues
  5. Along with @rubi1200 suggestion

I have never had to go past the above to solve it.
I too checked:

Results

openssl s_client -connect mercury.law.nyu.edu:443
Connecting to 128.122.159.101
CONNECTED(00000003)
depth=0 DC=org, DC=incommon, C=US, ST=New York, O=New York University, CN=mercury.law.nyu.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 DC=org, DC=incommon, C=US, ST=New York, O=New York University, CN=mercury.law.nyu.edu
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 DC=org, DC=incommon, C=US, ST=New York, O=New York University, CN=mercury.law.nyu.edu
verify return:1

Certificate chain
0 s:DC=org, DC=incommon, C=US, ST=New York, O=New York University, CN=mercury.law.nyu.edu
i:C=US, O=Internet2, CN=InCommon RSA IGTF Server CA 3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Oct 16 00:00:00 2024 GMT; NotAfter: Oct 16 23:59:59 2025 GMT

Server certificate
-----BEGIN CERTIFICATE-----
MIIH5TCCBk2gAwIBAgIRAPVdvzPTdb+fpqxByRIh0mIwDQYJKoZIhvcNAQEMBQAw
STELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEmMCQGA1UEAxMdSW5D
b21tb24gUlNBIElHVEYgU2VydmVyIENBIDMwHhcNMjQxMDE2MDAwMDAwWhcNMjUx
MDE2MjM1OTU5WjCBizETMBEGCgmSJomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixk
ARkWCGluY29tbW9uMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxHDAa
BgNVBAoTE05ldyBZb3JrIFVuaXZlcnNpdHkxHDAaBgNVBAMTE21lcmN1cnkubGF3
Lm55dS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCRlY1Td7GS
7xth8sRivTxycoLhL02e2DbCQ8ti+Ec8Pib3bLGbhCzXOVXjw4ZccEN1R1EX/HLC
N2bq8Y5EfyfL007Ad1dv58q32nHVKUnc9qtsgkBxBotdT4EbkC2hfZIHSfMUQIH5
hJQDmAAigjXe4a46pEIKG7Q+/582Mg46c9wne2/4GSx5zISzc0eR2C5W0BywtRsT
3D/Iu1POAUJoF/Na18IlCK+B9CxxIkr58zX6sVgNmHli3l4UrBcy7dPT2afGPUYo
qxFGYZISC1hhyiZXP22xN6MdthCkqUZofX8XhiFOqapLkZUCMGZzUJxpD3NU/C8i
X7+JR9BLwEgXAgMBAAGjggQDMIID/zAfBgNVHSMEGDAWgBQWNqXjMXu/Z/ayt+fq
VO9XML7H5TAdBgNVHQ4EFgQUMnvNzt9FqDqBYsKTKWjOVYZai3wwDgYDVR0PAQH/
BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMFgGA1UdIARRME8wNQYMKwYBBAGuIwEEAwQCMCUwIwYIKwYBBQUHAgEWF2h0
dHBzOi8vc2VjdGlnby5jb20vQ1BTMAwGCiqGSIb3TAUCAgEwCAYGZ4EMAQICMEQG
A1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuc2VjdGlnby5jb20vSW5Db21tb25S
U0FJR1RGU2VydmVyQ0EzLmNybDB0BggrBgEFBQcBAQRoMGYwPwYIKwYBBQUHMAKG
M2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25SU0FJR1RGU2VydmVyQ0Ez
LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wggF+Bgor
BgEEAdZ5AgQCBIIBbgSCAWoBaAB1AN3cyjSV1+EWBeeVMvrHn/g9HFDf2wA6FBJ2
Ciysu8gqAAABkpcrdpkAAAQDAEYwRAIgJbuBG6Br+yyonEXZjdbMn0L1qsQSUpC6
UDx2IK04seMCIF9xxqymCZiTv2RNml407AcRxqpv7s1HPfP8yuvFg+ffAHcAzPsP
aoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGSlyt2pgAABAMASDBGAiEA
4wl1SSkrk++un2072hJ+6ws/lNMA/1f+NmX7Ic/WqRYCIQDINMRTKtsqg+G0Pfni
3UUC6lMwln7fG0r6O8hgj702gQB2ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAF
hOvlhiY6AAABkpcrdnkAAAQDAEcwRQIhAPkJThRm55sExuM+UrhpA6UIp4xRcre5
cErmdNmV4jRzAiBwf2O4wvdHXyQo6xTpU0+vmrjAHZKxTsT66AMfQSPrtDCB5wYD
VR0RBIHfMIHcghNtZXJjdXJ5Lmxhdy5ueXUuZWR1ghhhcG9sbG8tY2FzMDMubGF3
Lm55dS5lZHWCIGF1dG9kaXNjb3Zlci5tZXJjdXJ5Lmxhdy5ueXUuZWR1ghNjYXNz
aW5pLmxhdy5ueXUuZWR1ghFkaW9uZS5sYXcubnl1LmVkdYIVZW5kZWF2b3VyLmxh
dy5ueXUuZWR1ghFsdW5hci5sYXcubnl1LmVkdYIQcmhlYS5sYXcubnl1LmVkdYIS
dGV0aHlzLmxhdy5ueXUuZWR1ghF0aXRhbi5sYXcubnl1LmVkdTANBgkqhkiG9w0B
AQwFAAOCAYEAPr9b47/zVAm7ESJ45EoQhuf14Wsec8nKgZ+Jto7wDhRLRujEoU5I
89PyGbD1h4IKw7svUi8J4vjGRZMfH2mbusB7+1iIrRMriO5alGGFOl9GmnLrUKrT
F/J34jed6SqZ5IUFKxfTmI0/uXlZGNdQIjFvkyYHLybOSJObXKZmdZTH8FAE/Jul
OaA6v+cY5XyCMPCV01O+0kV1pgiDy7amcn4mEhG1DYKY96E60Wm+6zsXcDbKrNVD
T1GHE9ybLFOwtzji1znguvqVv9u2IUm8mtsx0AsZdnzEofcW5yOa/OC5t39jWrY+
kDhheZvoblFrMuXWUBZrGEQlU8ombl86Gx/LeegQcAQfjXs/ie6tjGAaIxH9+BhN
hjPnf+qnEwWqi327lNA1iXSqWmqT/oHBP70WauQFMdllEuxyWhhyErLZgUI2sp0Z
vfB5PG4kB5SKAxx2rspcGhvy93KH0nMH7yFLqAretnHb7rAJWC3wBkeW+tkaItpC
ElUiK8zyaTN/
-----END CERTIFICATE-----
subject=DC=org, DC=incommon, C=US, ST=New York, O=New York University, CN=mercury.law.nyu.edu
issuer=C=US, O=Internet2, CN=InCommon RSA IGTF Server CA 3

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 2581 bytes and written 410 bytes
Verification error: unable to verify the first certificate

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)


Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: EB0E45F89FE6F2859E1367EB66101D90709C9083545BD416D595E31425C9EEE7
Session-ID-ctx:
Resumption PSK: D3A38F74CAE793C0847175A23B9D74722771A9F319A959E9C0F45D7D6C4B57DA2688314D61CD13F242435D91E11B612A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 91 67 7d 1d 55 f8 f2 29-5d 57 22 46 cb 38 ef c9 .g}.U…)]W"F.8…
0010 - 2a 0f 03 58 db 37 c7 ff-a0 e6 0f a8 95 a1 61 6f *…X.7…ao

Start Time: 1743713240
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 342B28D25A3B1625C1E5DD9DF6372A0B6057C5A9314E2F33C9848D102DECDD9D
Session-ID-ctx:
Resumption PSK: 9583D1B2A38D4071CE8567ED97981183FBAAAB4E36BB8FFB827F1A4B7774251D283AE4D5AAE16C436B1C0A4E92C0DBBA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 03 ef 2b 10 dd bd 2f 99-44 1d ad 27 ea 14 f7 cf …+…/.D…'…
0010 - 19 81 7e 02 4f 43 ee de-02 04 65 7d 4f 80 e8 7a …~.OC…e}O…z

Start Time: 1743713240
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0

read R BLOCK
80DB19C6C0720000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:688:

2 Likes

Try clearing browser cache, history, and cookies.

This did the trick, thank you. Funny thing is that, not too long ago, I was a Google Photos product expert (all volunteer, like this site), and I had a canned answer to half a dozen problems suggesting clearing the cache and cookies. Somehow, though, it did not occur to me to try this here. Glad you were smarter. Thanks again.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.