使用 openssl 连接到 google 服务器但无法获取本地颁发者证书。为什么？

它是来自谷歌的官方根 CA，所以它应该可以工作吧？！

它是一个官方的谷歌根，但它不是正确的一。

看着全部输出自openssl s_client：

openssl s_client -connect imap.gmail.com:993 -CAfile GTSR1.pem
CONNECTED(00000094)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=imap.gmail.com
   i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
[snipped -- irrelevant]
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3216 bytes and written 261 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
[snipped except]
    Verify return code: 20 (unable to get local issuer certificate)
---

请注意，中间证书（链显示中编号为 1）的颁发者为（i:）

/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign

这是网页中标记为“GS Root R2”（不是 GTS）的根目录，链接在这里，并使用转换为 PEM 的文件：

openssl s_client -connect imap.gmail.com:993 -CAfile GSR2.pem -quiet
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = imap.gmail.com
verify return:1
* OK Gimap ready for requests from [redacted]

此外，openssl错误告诉你中间的使用的 (又名下属) CA 是 GTS CA 1O1，并且同一网页显示 GTS CA 1O1 位于 GS Root 2 下，而不是 GTS Root 1。