Connect with openssl to google server but unable to get local issuer certificate. Why?
Matthew Barrera 
Trying to connect to imap.google.com:993 with openssl.
1) downloaded CAfile in encoded DER format from . The file called GTS Root R1
2) converted this file into PEM format
openssl x509 -inform der -in GTSR1.crt -out googleRootCA.pem3) connect to imap.gmail.com:993 and use this googleRootCA.pem file
openssl.exe s_client -connect imap.gmail.com:993 -CAfile ./googleRootCA.pemBut openssl reports:Verify return code: 20 (unable to get local issuer certificate)
Why? Its an official root CA from google so it should work?! OS: Windows 10
31 Answer
Its an official root CA from google so it should work?!
It's an official google root, but it's not the correct one.
Look at all the output from openssl s_client:
openssl s_client -connect imap.gmail.com:993 -CAfile GTSR1.pem
CONNECTED(00000094)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=imap.gmail.com i:/C=US/O=Google Trust Services/CN=GTS CA 1O1 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
[snipped -- irrelevant]
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3216 bytes and written 261 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
[snipped except] Verify return code: 20 (unable to get local issuer certificate)
---Note the intermediate cert (numbered 1 in the chain display) has issuer (i:)
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSignThat's the root labelled 'GS Root R2' (not GTS) in the webpage which links here, and using that file converted to PEM works:
openssl s_client -connect imap.gmail.com:993 -CAfile GSR2.pem -quiet
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com
verify return:1
* OK Gimap ready for requests from [redacted]Also, the openssl error tells you the intermediate (aka subordinate) CA used is GTS CA 1O1, and that same webpage shows that GTS CA 1O1 is under GS Root 2, not GTS Root 1.
