我试图从Ubuntu 16.04使用openssl连接到smtp.googlemail.com,我可以login并发送没有任何问题的电子邮件,但从Centos5我得到这个:
/usr/local/ssl/bin/openssl s_client -starttls smtp -connect smtp.googlemail.com:587 -crlf -ign_eof CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIIZhHz2JffUYMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMjE1MTM0NjI0WhcNMTcwMzA5MTMzNDAw WjBtMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEcMBoGA1UEAwwTc210 cC5nb29nbGVtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AKNjXgKkh+MP+GoDISKosZkL/UG6pdt7a/pHf4DPVMMrx/OAEWmLBQmKaV3QAJC2 qUlHhOsLcy7qtirFsUK9Y5jy6R0Ucxd7LW/REtvhwY2X8QfHm0IEnOE1CDuYrfUk Kk7PtQxTqGxG8aei+LXLxLNFNTjbfQiObvQXREw7qXfEWQb5+0T2FOxpB+UhYx20 bNpOimB0dco/Up/v+RekBKlvS2SrOCMSeTYYReZkycriSt0pMsI0IIvkaeE1Isnx wA23B0dz6mVUn5blHPAIiEqi7Ic/W5tBrVkUwC40aL0ZuFQUjaJ/JUXCLon8uOnD P7VDUk0mqlDoXMvHA1XkFO0CAwEAAaOCAVAwggFMMB0GA1UdJQQWMBQGCCsGAQUF BwMBBggrBgEFBQcDAjAeBgNVHREEFzAVghNzbXRwLmdvb2dsZW1haWwuY29tMGgG CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j b20vb2NzcDAdBgNVHQ4EFgQU73XPHhFAOaKff/yiXSyANI3w4lIwDAYDVR0TAQH/ BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6 Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAHLC 75s5iG0hrGns1J1qTEMKi/AxjP4xmjWzAm1S0wc/8a2qDemxd1+MCqZrNpmXYVog luJ+JDtZlEsHaAqB5ATc3bnMLhrvh7TJLRUvyk+l3OJ+8oJR8HUyghqUQ9uB5qNX 8xXJbmTfY1nCXOuG2A9nWTlMubt//kasnbDCrcpG9TZO+dQ0H4SEuC10xtIFM04A vWsDrdjThn8viHI7vmpEbeTR6E60jhEKYZfqhWFDH4e7k8TsAKIJCv6v5xo4yLp4 TtTJJk3eWrEHxt5cjWZlqx22/ru0Whk+6ZLvUzm329KwQ6kNm9quFngUpIFh241F tFPvcslCp56bJ3xzdqs= -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4001 bytes and written 508 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 917A4A945C1AD702E8F0588217413B3311AA226D7E78BDD87B8596965AA0D620 Session-ID-ctx: Master-Key: 43A388B6FF51CFC304F63D3EEC61912670C38CF7ECB347F521C48CD094C333BBBE4532FBCB5D41203543B8F0D081C2BA Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - bf cf bb fc 16 de 25 7a-cd bc 70 64 54 37 f0 60 ......%z..pdT7.` 0010 - 65 97 fe f6 65 24 c0 c6-5e 9f a8 e2 8f 5e 20 76 e...e$..^....^ v 0020 - 89 d7 f7 29 2c 43 fe f5-b9 95 c9 f3 ca 66 e6 cf ...),C.......f.. 0030 - 53 20 86 84 1e 53 08 23-cf 14 56 23 d4 2f 45 1e S ...S.#..V#./E. 0040 - f1 68 0a d8 6a e1 06 e9-d5 d0 59 fc 86 df 0b f8 .h..j.....Y..... 0050 - 1b be d0 a3 40 83 3d 3c-d0 ce ba 07 a9 46 d7 6d ....@.=<.....Fm 0060 - 73 35 cd 72 04 3a 5b 90-a2 db 1a e2 7b 78 6e 90 s5.r.:[.....{xn. 0070 - 74 91 52 1e 10 68 15 58-5f b7 4d 0f ba 9e 2f 32 tR.h.X_.M.../2 0080 - ac 78 92 37 47 d3 3c 3e-fd b0 ec 61 83 78 6e 48 .x.7G.<>...a.xnH 0090 - 61 27 ea 01 d7 74 3e 97-ab 72 05 00 78 3a 6d 9d a'...t>..r..x:m. 00a0 - b4 a0 57 e9 ..W. Start Time: 1483556858 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)
它看起来像OpenSSL无法find所需的根证书,对吗? 好的,我该如何解决这个问题?
使用-showcerts整个证书链:
$ openssl s_client -starttls smtp -connect smtp.googlemail.com:587 -showcerts [77/209] CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.googlemail.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIIZhHz2JffUYMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMjE1MTM0NjI0WhcNMTcwMzA5MTMzNDAw WjBtMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEcMBoGA1UEAwwTc210 cC5nb29nbGVtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AKNjXgKkh+MP+GoDISKosZkL/UG6pdt7a/pHf4DPVMMrx/OAEWmLBQmKaV3QAJC2 qUlHhOsLcy7qtirFsUK9Y5jy6R0Ucxd7LW/REtvhwY2X8QfHm0IEnOE1CDuYrfUk Kk7PtQxTqGxG8aei+LXLxLNFNTjbfQiObvQXREw7qXfEWQb5+0T2FOxpB+UhYx20 bNpOimB0dco/Up/v+RekBKlvS2SrOCMSeTYYReZkycriSt0pMsI0IIvkaeE1Isnx wA23B0dz6mVUn5blHPAIiEqi7Ic/W5tBrVkUwC40aL0ZuFQUjaJ/JUXCLon8uOnD P7VDUk0mqlDoXMvHA1XkFO0CAwEAAaOCAVAwggFMMB0GA1UdJQQWMBQGCCsGAQUF BwMBBggrBgEFBQcDAjAeBgNVHREEFzAVghNzbXRwLmdvb2dsZW1haWwuY29tMGgG CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j b20vb2NzcDAdBgNVHQ4EFgQU73XPHhFAOaKff/yiXSyANI3w4lIwDAYDVR0TAQH/ BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6 Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAHLC 75s5iG0hrGns1J1qTEMKi/AxjP4xmjWzAm1S0wc/8a2qDemxd1+MCqZrNpmXYVog luJ+JDtZlEsHaAqB5ATc3bnMLhrvh7TJLRUvyk+l3OJ+8oJR8HUyghqUQ9uB5qNX 8xXJbmTfY1nCXOuG2A9nWTlMubt//kasnbDCrcpG9TZO+dQ0H4SEuC10xtIFM04A vWsDrdjThn8viHI7vmpEbeTR6E60jhEKYZfqhWFDH4e7k8TsAKIJCv6v5xo4yLp4 TtTJJk3eWrEHxt5cjWZlqx22/ru0Whk+6ZLvUzm329KwQ6kNm9quFngUpIFh241F tFPvcslCp56bJ3xzdqs= -----END CERTIFICATE----- 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -----BEGIN CERTIFICATE----- MIID8DCCAtigAwIBAgIDAjqSMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTUwNDAxMDAwMDAwWhcNMTcxMjMxMjM1OTU5WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEACE4Ep4B/EBZDXgKt 10KA9LCO0q6z6xF9kIQYfeeQFftJf6iZBZG7esnWPDcYCZq2x5IgBzUzCeQoY3IN tOAynIeYxBt2iWfBUFiwE6oTGhsypb7qEZVMSGNJ6ZldIDfM/ippURaVS6neSYLA EHD0LPPsvCQk0E6spdleHm2SwaesSDWB+eXknGVpzYekQVA/LlelkVESWA6MCaGs eqQSpSfzmhCXfVUDBvdmWF9fZOGrXW2lOUh1mEwpWjqN0yvKnFUEv/TmFNWArCbt F4mmk2xcpMy48GaOZON9muIAs0nH5Aqq3VuDx3CQRk6+0NtZlmwu9RY23nHMAcIS wSHGFg== -----END CERTIFICATE----- 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4000 bytes and written 362 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: FBA71D2C2413474BDCE44C6951BFBC41C7FB4795CADCE6150BB93205526E632A Session-ID-ctx: Master-Key: F86BF8C5998693FE8FB77B396644D2D58365228C0352CF35886582EBB109845554AF632CC72A947C304CD93C6AC76618 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - bf cf bb fc 16 de 25 7a-cd bc 70 64 54 37 f0 60 ......%z..pdT7.` 0010 - a8 09 14 b0 63 60 cb 19-c2 01 a8 d4 b9 fa 66 02 ....c`........f. 0020 - c2 d8 4b c8 a4 46 b9 6d-d5 5c a3 5e b9 7e 95 27 ..K..Fm\.^.~.' 0030 - 5e 35 e5 87 fd 2b ba 79-66 24 14 84 7e 16 14 c2 ^5...+.yf$..~... 0040 - fa a2 b1 da 12 df c2 4a-ac b5 a9 ea b1 9c 22 7a .......J......"z 0050 - 83 22 47 6b fe 89 9a 06-18 c3 28 e5 1d 1a 76 1e ."Gk......(...v. 0060 - 70 c8 53 39 41 55 95 54-0d ce 27 84 26 96 c4 2b p.S9AU.T..'.&..+ 0070 - c2 9f 0f 35 fe b2 fd c5-d7 38 0d 4b 85 74 6a da ...5.....8.K.tj. 0080 - 43 76 ba 81 fb 96 2f 4d-56 96 1c 2d e7 c7 b4 00 Cv..../MV..-.... 0090 - 51 5b 8e 6b eb cc ab 96-bc 98 3a 85 8f 5e bd 2d Q[.k......:..^.- 00a0 - f1 7a 3f f1 .z?. Start Time: 1483557603 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 SMTPUTF8
然后在请求中包含缺less的证书,或者更好地更新系统包以包含它们 。
如果您仍然缺less信任链中的证书,则可以从供应商处检索它们 。
您可以使用openssl的verify子命令verify信任链是否完整。