"Your connection is not secure" for every other website [closed]

Question

My father uses an old computer with Ubuntu 16.04 on it. (I cannot update that. He rejects all change. I have made many attempts to make him accept a newer system, to no avail.)

Since a few months he cannot visit half the internet anymore. Firefox (I don't know which version - the latest available for Ubuntu 16.04) tells him that the connection is not secure, certificates have expired. When I visit the same websites they all have fresh certificates. And I don't understand why these apparently are not there on his end.

The same happens for the start page in Thunderbird.

I don't live near my father and can't access his computer. I can't ask him complicated questions because it confuses and frustrates him to no end. So for example, I can't ask him to check those certificates, click on the "more info" button or whatever, so I can see what certificates are presented to him. I also can't ask him to try with Chromium (not even sure it's installed), or do anything in a terminal etc. In short: I can't get any more info than this if I am not physically there.

I have no idea what is wrong. Is there maybe some new kind of standard for SSL certificates that is slowly being rolled out now and already in use for most but not all websites, that did not exist back then and is not supported by the old Firefox on that old Ubuntu? Or what could be the reason that this suddenly happens on this old system, and how to fix it?

My first hunch was that he might have changed the system date and time so that certificates appear to have expired. But that is not the case.

Answer 1

You have a number of issues here:

1. Ubuntu 16.04 went EOL in April 2021, and is no longer on-topic on Ask Ubuntu
2. Because 16.04 is EOL, his computer will be less secure (more likely to get malware) than, say, Ubuntu 20.04. Even more so if it hasn't been updated for months or years.
3. If he won't update the OS, I'd guess he is using an old (and unsupported) browser version. If you can, I'd try to get him to update it. Updating the browser shouldn't be too difficult, and may solve these certificate errors, but will also be more secure. Also, update the ca-certificates package. But you really should update the OS. Or clean install.
4. The computer in question needs to trust the ISRG Root X1 certificate for a lot of things to work. It works be default in current versions of Ubuntu, as well as 16.04 with updates applied (see this page for more information on that).
5. Certificates expire. If no updates have been applied (and 16.04 doesn't get updates), well... expired certificates won't work, and without updates, good luck getting new ones. If you really can't update the OS, update the browser and the ca-certificates package. That said, it is better to update the OS. As to convincing them to update the OS, check out the How to explain to traditional people why they should upgrade their old Windows XP device? question on Information Security SE.

Finally, it might be worth looking into setting up said computer to automatically download updates.

Sadly, if you "can't access his computer" and "can't ask him to ... do anything in a terminal", there isn't much you can do. Updates, especially from old versions are not 100% reliable. Yes, usually updates work, but if he won't let you have access, and he won't do it himself, then he either (a) will have to deal with websites not working (and potentially other stuff, like malware), or (b) he will realize it is time to update.

Answer 2

I tried the latest Ubuntu-16.04.7-desktop-amd64.iso on a USB driver, and in a terminal:

$ sudo apt update
$ sudo apt upgrade

After upgrading to the latest version: $ uname -a should print something like:

Linux ubuntu 4.15.112-generic ...

And the Firefox version is 88.0.

Open some HTTPS sites and their certificates OK. Please check the above versions and ensure the /etc/apt/sources.list, points to the official site, e.g: http://archive.ubuntu.com.