Outlook Web "Not Private" After Ubuntu Update

Using Ubuntu 24.04.2 LTS.

Suddenly, after a recent update of Ubuntu, an attempt to access an Outlook Web site resulted in a Privacy Error that prevents sign in unless the warning is overriden. (See attachment below.) This error occurs on two different browsers, Chrome and Firefox, on my Ubuntu computer and the error does not occur when using any other computer (Windows or Linux Lite). Thanks in advance for any suggestions on how to fix this problem.

Screenshot from 2025-03-26 12-07-451920×1080 139 KB

Welcome to Ubuntu Discourse

In a terminal run this command and post the output here please:
curl -v https://mercury.law.nyu.edu

This looks suspiciously like a self signed certificate which would normally be considered invalid, not sure how/why Windows or linux lite would not mark it like that … (but lets see what the curl command returns)

Secure TLS certificates always need to be counter signed by a certificate Authority (CA), Ubuntu ships by default the full list and public keys of CAs so certs can be verified against them, self signed certs simply have not been counter signed by a CA

Thanks for the quick response. Here are the results (after I installed curl):

lobalobo@lobalobo-Ecolite-Series:~$ curl -v https://mercury.law.nyu.edu

• Host mercury.law.nyu.edu:443 was resolved.
• IPv6: (none)
• IPv4: 128.122.159.101
• Trying 128.122.159.101:443…
• ALPN: curl offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS alert, unknown CA (560):
• SSL certificate problem: unable to get local issuer certificate
• closing connection #0
  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

And I too was confused by why Ubuntu but not Linux Lite or Windows rejected the certificate, but I’m quite certain that I received no warnings navigating to the site on computers with either Linux Lite or Windows, and I had no trouble on Ubuntu either until an update about a week ago.

sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates

As a first step, let’s try updating the Certificate Authority (CA) certificates on your system.

Run each command above and then try the same curl command again to check if the issue is resolved.

Will try this later today and report back. Thanks so much for the help.

Unfortunately, these steps did not fix the problem. Here is the new report from the curl command:

• Host mercury.law.nyu.edu:443 was resolved.
• IPv6: (none)
• IPv4: 128.122.159.101
• Trying 128.122.159.101:443…
• ALPN: curl offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS alert, unknown CA (560):
• SSL certificate problem: unable to get local issuer certificate
• closing connection #0
  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Unfortunately, I am out of ideas for this and I definitely do not want to suggest manual fixes that might compromise security.

Is there an IT department at your school who you can contact?

Tell them there seems to be an issue with the site certificate and ask them to review or fix.

Hopefully, someone here can offer other ways to sort this out.

Afterthought: did you restart the computer after updating the CA certificates?

Checked: I can access the site without security warnings on Ubuntu 24.04.2 using either Firefox or Chromium.

Perhaps @ogra has some suggestions?

Not a lot beyond contacting the server admins, the server does not seem to even send proper CA info:

$ openssl s_client -connect mercury.law.nyu.edu:443

[...]
subject=DC=org, DC=incommon, C=US, ST=New York, O=New York University, CN=mercury.law.nyu.edu
issuer=C=US, O=Internet2, CN=InCommon RSA IGTF Server CA 3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2581 bytes and written 416 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
[...]

This “No client certificate CA names sent” looks mis-configured to me

Checked: I can access the site without security warnings on Ubuntu 24.04.2 using either Firefox or Chromium.

How odd is that? Seems every computer with any operating system other than mine can connect to the site, but mine cannot (and that’s having tried two browsers).

[Yes, I believe I restarted the computer after the update, but I’ll try that again next time I’m home with the computer.]

Thanks.

Ogra: Thanks, I will contact my IT department, but not sure what to say inasmuch only this one computer has any difficulty.

On that error page, click on advanced and see what it says

Here is what Advanced says on the error page:

This server could not prove that it is mercury.law.nyu.edu; its security certificate is not trusted by your computer’s operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

So, although rebooting after updating the certificates didn’t help, here is something odd that I discovered: No Error messages when the server is accessed in Incognito mode. Does that give anyone any idea of what’s wrong? More curious than anything else at this point.

Try clearing browser cache, history, and cookies.

Would use the option to delete from all time or forever or whatever it says these days

This would be a great place to start, Why, Error Causes Invalid SSL certificate

1. Misconfigured redirects
2. Misconfigured proxy settings
3. Antivirus or Browser extensions issues
4. Operating system issues
5. Along with @rubi1200 suggestion

I have never had to go past the above to solve it.
I too checked:

Start Time: 1743713240
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0

Start Time: 1743713240
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0

2025-04-03_15-091245×378 22.6 KB

Try clearing browser cache, history, and cookies.

This did the trick, thank you. Funny thing is that, not too long ago, I was a Google Photos product expert (all volunteer, like this site), and I had a canned answer to half a dozen problems suggesting clearing the cache and cookies. Somehow, though, it did not occur to me to try this here. Glad you were smarter. Thanks again.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.