OpenSSL Verify return code: 20

Question

I'm trying to connect to smtp.googlemail.com using openssl, from Ubuntu 16.04 I can login and send emails without any issue, but from Centos5 I'm getting this:

/usr/local/ssl/bin/openssl s_client -starttls smtp -connect smtp.googlemail.com:587 -crlf -ign_eof
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIIZhHz2JffUYMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMjE1MTM0NjI0WhcNMTcwMzA5MTMzNDAw
WjBtMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEcMBoGA1UEAwwTc210
cC5nb29nbGVtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKNjXgKkh+MP+GoDISKosZkL/UG6pdt7a/pHf4DPVMMrx/OAEWmLBQmKaV3QAJC2
qUlHhOsLcy7qtirFsUK9Y5jy6R0Ucxd7LW/REtvhwY2X8QfHm0IEnOE1CDuYrfUk
Kk7PtQxTqGxG8aei+LXLxLNFNTjbfQiObvQXREw7qXfEWQb5+0T2FOxpB+UhYx20
bNpOimB0dco/Up/v+RekBKlvS2SrOCMSeTYYReZkycriSt0pMsI0IIvkaeE1Isnx
wA23B0dz6mVUn5blHPAIiEqi7Ic/W5tBrVkUwC40aL0ZuFQUjaJ/JUXCLon8uOnD
P7VDUk0mqlDoXMvHA1XkFO0CAwEAAaOCAVAwggFMMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAeBgNVHREEFzAVghNzbXRwLmdvb2dsZW1haWwuY29tMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
b20vb2NzcDAdBgNVHQ4EFgQU73XPHhFAOaKff/yiXSyANI3w4lIwDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY
MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6
Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAHLC
75s5iG0hrGns1J1qTEMKi/AxjP4xmjWzAm1S0wc/8a2qDemxd1+MCqZrNpmXYVog
luJ+JDtZlEsHaAqB5ATc3bnMLhrvh7TJLRUvyk+l3OJ+8oJR8HUyghqUQ9uB5qNX
8xXJbmTfY1nCXOuG2A9nWTlMubt//kasnbDCrcpG9TZO+dQ0H4SEuC10xtIFM04A
vWsDrdjThn8viHI7vmpEbeTR6E60jhEKYZfqhWFDH4e7k8TsAKIJCv6v5xo4yLp4
TtTJJk3eWrEHxt5cjWZlqx22/ru0Whk+6ZLvUzm329KwQ6kNm9quFngUpIFh241F
tFPvcslCp56bJ3xzdqs=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4001 bytes and written 508 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 917A4A945C1AD702E8F0588217413B3311AA226D7E78BDD87B8596965AA0D620
    Session-ID-ctx: 
    Master-Key: 43A388B6FF51CFC304F63D3EEC61912670C38CF7ECB347F521C48CD094C333BBBE4532FBCB5D41203543B8F0D081C2BA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - bf cf bb fc 16 de 25 7a-cd bc 70 64 54 37 f0 60   ......%z..pdT7.`
    0010 - 65 97 fe f6 65 24 c0 c6-5e 9f a8 e2 8f 5e 20 76   e...e$..^....^ v
    0020 - 89 d7 f7 29 2c 43 fe f5-b9 95 c9 f3 ca 66 e6 cf   ...),C.......f..
    0030 - 53 20 86 84 1e 53 08 23-cf 14 56 23 d4 2f 45 1e   S ...S.#..V#./E.
    0040 - f1 68 0a d8 6a e1 06 e9-d5 d0 59 fc 86 df 0b f8   .h..j.....Y.....
    0050 - 1b be d0 a3 40 83 3d 3c-d0 ce ba 07 a9 46 d7 6d   ....@.=<.....F.m
    0060 - 73 35 cd 72 04 3a 5b 90-a2 db 1a e2 7b 78 6e 90   s5.r.:[.....{xn.
    0070 - 74 91 52 1e 10 68 15 58-5f b7 4d 0f ba 9e 2f 32   t.R..h.X_.M.../2
    0080 - ac 78 92 37 47 d3 3c 3e-fd b0 ec 61 83 78 6e 48   .x.7G.<>...a.xnH
    0090 - 61 27 ea 01 d7 74 3e 97-ab 72 05 00 78 3a 6d 9d   a'...t>..r..x:m.
    00a0 - b4 a0 57 e9                                       ..W.

    Start Time: 1483556858
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

It looks like OpenSSL cannot find the root certificate needed, am I right?. Ok so, how can I fix this?.

You are not using the system OpenSSL, but another copy of OpenSSL. — Michael Hampton, Jan 04 '17 at 19:25
Yes, I've compiled a newer version but if I use the system's one I get the same results. — leonardorame, Jan 04 '17 at 22:43

score 1 · Accepted Answer · answered Jan 04 '17 at 19:25

Grab the entire certificate chain using -showcerts:

$ openssl s_client -starttls smtp -connect smtp.googlemail.com:587 -showcerts                                                                                                                                               [77/209]
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.googlemail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIIZhHz2JffUYMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMjE1MTM0NjI0WhcNMTcwMzA5MTMzNDAw
WjBtMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEcMBoGA1UEAwwTc210
cC5nb29nbGVtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKNjXgKkh+MP+GoDISKosZkL/UG6pdt7a/pHf4DPVMMrx/OAEWmLBQmKaV3QAJC2
qUlHhOsLcy7qtirFsUK9Y5jy6R0Ucxd7LW/REtvhwY2X8QfHm0IEnOE1CDuYrfUk
Kk7PtQxTqGxG8aei+LXLxLNFNTjbfQiObvQXREw7qXfEWQb5+0T2FOxpB+UhYx20
bNpOimB0dco/Up/v+RekBKlvS2SrOCMSeTYYReZkycriSt0pMsI0IIvkaeE1Isnx
wA23B0dz6mVUn5blHPAIiEqi7Ic/W5tBrVkUwC40aL0ZuFQUjaJ/JUXCLon8uOnD
P7VDUk0mqlDoXMvHA1XkFO0CAwEAAaOCAVAwggFMMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAeBgNVHREEFzAVghNzbXRwLmdvb2dsZW1haWwuY29tMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
b20vb2NzcDAdBgNVHQ4EFgQU73XPHhFAOaKff/yiXSyANI3w4lIwDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY
MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6
Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAHLC
75s5iG0hrGns1J1qTEMKi/AxjP4xmjWzAm1S0wc/8a2qDemxd1+MCqZrNpmXYVog
luJ+JDtZlEsHaAqB5ATc3bnMLhrvh7TJLRUvyk+l3OJ+8oJR8HUyghqUQ9uB5qNX
8xXJbmTfY1nCXOuG2A9nWTlMubt//kasnbDCrcpG9TZO+dQ0H4SEuC10xtIFM04A
vWsDrdjThn8viHI7vmpEbeTR6E60jhEKYZfqhWFDH4e7k8TsAKIJCv6v5xo4yLp4
TtTJJk3eWrEHxt5cjWZlqx22/ru0Whk+6ZLvUzm329KwQ6kNm9quFngUpIFh241F
tFPvcslCp56bJ3xzdqs=
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjqSMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTUwNDAxMDAwMDAwWhcNMTcxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD
VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov
L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEACE4Ep4B/EBZDXgKt
10KA9LCO0q6z6xF9kIQYfeeQFftJf6iZBZG7esnWPDcYCZq2x5IgBzUzCeQoY3IN
tOAynIeYxBt2iWfBUFiwE6oTGhsypb7qEZVMSGNJ6ZldIDfM/ippURaVS6neSYLA
EHD0LPPsvCQk0E6spdleHm2SwaesSDWB+eXknGVpzYekQVA/LlelkVESWA6MCaGs
eqQSpSfzmhCXfVUDBvdmWF9fZOGrXW2lOUh1mEwpWjqN0yvKnFUEv/TmFNWArCbt
F4mmk2xcpMy48GaOZON9muIAs0nH5Aqq3VuDx3CQRk6+0NtZlmwu9RY23nHMAcIS
wSHGFg==
-----END CERTIFICATE-----
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4000 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: FBA71D2C2413474BDCE44C6951BFBC41C7FB4795CADCE6150BB93205526E632A
    Session-ID-ctx: 
    Master-Key: F86BF8C5998693FE8FB77B396644D2D58365228C0352CF35886582EBB109845554AF632CC72A947C304CD93C6AC76618
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - bf cf bb fc 16 de 25 7a-cd bc 70 64 54 37 f0 60   ......%z..pdT7.`
    0010 - a8 09 14 b0 63 60 cb 19-c2 01 a8 d4 b9 fa 66 02   ....c`........f.
    0020 - c2 d8 4b c8 a4 46 b9 6d-d5 5c a3 5e b9 7e 95 27   ..K..F.m.\.^.~.'
    0030 - 5e 35 e5 87 fd 2b ba 79-66 24 14 84 7e 16 14 c2   ^5...+.yf$..~...
    0040 - fa a2 b1 da 12 df c2 4a-ac b5 a9 ea b1 9c 22 7a   .......J......"z
    0050 - 83 22 47 6b fe 89 9a 06-18 c3 28 e5 1d 1a 76 1e   ."Gk......(...v.
    0060 - 70 c8 53 39 41 55 95 54-0d ce 27 84 26 96 c4 2b   p.S9AU.T..'.&..+
    0070 - c2 9f 0f 35 fe b2 fd c5-d7 38 0d 4b 85 74 6a da   ...5.....8.K.tj.
    0080 - 43 76 ba 81 fb 96 2f 4d-56 96 1c 2d e7 c7 b4 00   Cv..../MV..-....
    0090 - 51 5b 8e 6b eb cc ab 96-bc 98 3a 85 8f 5e bd 2d   Q[.k......:..^.-
    00a0 - f1 7a 3f f1                                       .z?.

    Start Time: 1483557603
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 SMTPUTF8

Then include the missing certificates in your requests, or, better, update the system bundle to include them.

If you are still missing certificates in the chain of trust, you can retrieve them from the vendor.

You can verify that the chain of trust is complete with the verify subcommand of openssl.

Well, I've found a file /etc/pki/tls/certs/ca-bundle.crt.rpmnew and copied as ca-bundle.crt, after this I'm getting `Verify return code: 0 (ok)`. The sad news is this wasn't the cause of my original problem (cannot login to gmail using openssl from Centos 5). — Leonardo Ramé, Jan 04 '17 at 22:58

OpenSSL Verify return code: 20

1 Answers1