I am having the same problem with apis.live.net:443. I am running Debian
stable with ca-certificates 20141019+deb8u1.
Thanks.
-nandhp
$ openssl s_client -connect apis.live.net:443
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore
CyberTrust Root
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft
Corporation/CN=storage.live.com
i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft
IT/CN=Microsoft IT SSL SHA2
1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft
IT/CN=Microsoft IT SSL SHA2
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
---
Server certificate
[...]
subject=/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft
Corporation/CN=storage.live.com
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
---
No client certificate CA names sent
---
SSL handshake has read 6828 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: [...]
Session-ID-ctx:
Master-Key: [...]
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1454865834
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
^C
On Thu, 28 Jan 2016 16:44:09 +0100 Peter Dahlberg <[email protected]>
wrote:
> Hi,
>
> There seems to be a similar looking issue because of the removed "GTE
> CyberTrust Global Root".
>
> jessie:
>
> $ openssl s_client -connect pictureis24-a.akamaihd.net:443
> CONNECTED(00000003)
> depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
> i:/C=NL/L=Amsterdam/O=Verizon Enterprise
> Solutions/OU=Cybertrust/CN=Verizon
> Akamai SureServer CA G14-SHA2
> 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise
> Solutions/OU=Cybertrust/CN=Verizon
> Akamai SureServer CA G14-SHA2
> i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
> 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
> CyberTrust Global Root
> ---
>
> testing:
>
> % openssl s_client -connect pictureis24-a.akamaihd.net:443
> CONNECTED(00000003)
> depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
> verify return:1
> depth=1 C = NL, L = Amsterdam, O = Verizon Enterprise Solutions, OU =
> Cybertrust, CN = Verizon Akamai SureServer CA G14-SHA2
> verify return:1
> depth=0 C = US, ST = MA, L = Cambridge, O = Akamai Technologies Inc., CN =
> a248.e.akamai.net
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
> i:/C=NL/L=Amsterdam/O=Verizon Enterprise
> Solutions/OU=Cybertrust/CN=Verizon
> Akamai SureServer CA G14-SHA2
> 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise
> Solutions/OU=Cybertrust/CN=Verizon
> Akamai SureServer CA G14-SHA2
> i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
> 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
> i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
> CyberTrust Global Root
> ---
>
> Kind regards,
> Peter
>
>
>
