We help IT Professionals succeed at work.
Private
Troubleshooting Question

Help on Certificate message popping up

76 Views
Last Modified: 2020-11-09
Hi Experts!
 
I keep getting a message about a certificar.  When i press detail I get the below.  Clicking More Detail there is a lot of info but it says Microsoft Corporation.


So I am not sure if this certificate is legit when it says “Not Trusted”. What should I do and how do I know which email account is It’s emails account?

Comment
Watch Question

CERTIFIED EXPERT

Commented:
this means either you are using an old machine that does not consider digicert as a trusted authority and microsoft is too lazy to provide a working certificate chain, or ( and this is much less likely ) someone is attempting a man in the middle on your connection.

David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Provide more detail.

Specifically the IP you're accessing along with the port/service you're using (port number + service HTTPS/IMAP/POP/SQL), also the OS version you're using and client you're using.

For example, if you're using Windows 7 Outlook, likely you have a TLS protocol mismatch which can only be fixed by upgrading your OS or installing latest Chrome/Firefox.
CERTIFIED EXPERT

Commented:
a protocol mismatch would not produce that error.
the protocol has no direct relationship with the ssl handshake and no incidence on that issue, but that would help reproducing the issue.

 the certificate chain is indeed a little short ;)

$ openssl s_client -connect outlook.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---



Lisa Hendrickson "CallThatGirl"Outlook Expert, Microsoft 365 Consultant
CERTIFIED EXPERT

Commented:
That's a phone app yes? If so, your network might need to be reset in the settings. If that's an iPhone. The Outlook app doesn't look like that. Might be the wrong app. 

Author

Commented:
Sorry guys, forgot to mention its from iPhone 11 Pro Max iOS 14.1.

That said, hope it helps better in recommendations

Hi skullnobrains,
You said "...someone is attempting a man in the middle on your connection"; being iPhone that can be true also?

Hi David,
How can I provide the info u r requesting of IP accessing/port/service/HTTPS/IMAP/POP/SQL) if it's an iPhone?

Hi Lisa,
The image I sent is from an iphone.  the pop-up says "windows.live" so I am assuming its one of my microosft emails, when I press detail, I get the image I sent in the question.
CERTIFIED EXPERT

Commented:
yes but i also said it is very unlikely and there is indeed a problem with the certificate chain of outlook.com.

the iphone probably just does not have the digicert root authority bundled in

if you are unsure, here is the serial of the current outlook.com certificate

$ openssl s_client -connect outlook.com:443 2>&1|openssl x509 -noout -serial
serial=0BA03E669F92CBFF940D8D564FAAA2F4

you can click "details" and see whether it matches

note that it is much easier to hack your iphone directly than to manage such a man in the middle.

you are using an old machine that does not consider digicert as a trusted authority and microsoft is too lazy to provide a working certificate chain

Author

Commented:
Haven't had the messaged since 2 days - I keep checking to see. But the image I forgot to include is the one below.  This is the first image prior clicking "Detail" and displaying the image I placed ion the question.  So I am assuming that there is an email of Microsoft with the problem.
 
 
I have Hotmail emails and Outlook emails (around 6) - how do I know which is which? Its it all? Or is it one?  And if it's one, is it possible Hotmail and Outlook uses different certificate?
CERTIFIED EXPERT

Commented:
each domain has a different cert but the issue is the same. and all accounts would be impacted.

if the accounts work, there is no need to bother. such issues can also be transient due to network issues while performing extra validation tasks such as ocsp.

since apple does not bother providing an explicit message, you cannot tell which  is which easily.

Author

Commented:
Hi skullnobrains,

Regarding your entry,
if you are unsure, here is the serial of the current outlook.com certificate 
I receive the error and managed to press "details" various time to get more info, but don't see anything regarding what you said:

So how can I find serial content?

Also, I assume pop3.live.com belongs to Outlook.com and/or Hotmail.com? Yes?
CERTIFIED EXPERT

Commented:
it is probably nsmed fingerprint and might be represented in space or vommz separated groups. maybe post the screenshot. anyway don t bother too much, that is most likely the correct cert.

does it work the rest of the time ?

Author

Commented:
Yes, works most of the time the pop-message is like maybe 2 or 3 times a week.  It's just frustrating.

Question, I assume pop3.live.com belongs to Outlook.com and/or Hotmail.com,  is there any other email address that uses pop3.live.com
CERTIFIED EXPERT

Commented:
i assume most of the domains owned by microsoft may use that pop server. live.com, live.us, live.it ... and a bunch nof private and public ones.

you cannot do a thing. maybe some day, they will discover certificate chains and ocsp stappling

i believe 3 times a week is a reasibsble amount of network issues. try and see if you can allow the cert permanently in your iphone. no idea how. click around. it ix probably either simple or not feasible at all.
Technical Support Specialist
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
you can either ignore the issue or install the cert in your profile.

the cert itself is valid for years, the issue is mainly microsoft's and probably some missing cert authorities, lack of retry and caching in the iphone

Author

Commented:
I guess that's, makes sense.

Ok guys! Thank u very much!

Will proceed to close