Our IMAP connection to a Exchange Server fails because the certificate validation with openssl fails.
The client which initiates the connection is a Windows Server 2019 Standard running openssl 64-bit.
C:\Users\Administrator>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" s_client -connect server:993 -showcerts
CONNECTED(0000019C) Can't use SSL_get_servername depth=0 C = CH, ST = Z\C3\BCrich, L = Richterswil, O = Wisli Am See, OU = Informatik, CN = server.ch verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = CH, ST = Z\C3\BCrich, L = Richterswil, O = Wisli Am See, OU = Informatik, CN = server.ch verify error:num=21:unable to verify the first certificate verify return:1 depth=0 C = CH, ST = Z\C3\BCrich, L = Richterswil, O = Wisli Am See, OU = Informatik, CN = server.ch verify return:1 --- Certificate chain 0 s:C = CH, ST = Z\C3\BCrich, L = Richterswil, O = Wisli Am See, OU = Informatik, CN = server.ch
i:DC = ch, DC = wisliamsee, DC = int, CN = int-wisliamsee-CA-----BEGIN CERTIFICATE----- MIIHfjCCBWagAwIBAgITRAAAABOtj2lO7OjyhQAAAAAAEzANBgkqhkiG9w0BAQsF ADBhMRIwEAYKCZImiZPyLGQBGRYCY2gxGjAYBgoJkiaJk/IsZAEZFgp3aXNsaWFt c2VlMRMwEQYKCZImiZPyLGQBGRYDaW50MRowGAYDVQQDExFpbnQtd2lzbGlhbXNl ZS1DQTAeFw0yMTEyMDExNjA2NTVaFw0yMzEyMDExNjE2NTVaMIGHMQswCQYDVQQG EwJDSDEQMA4GA1UECAwHWsO8cmljaDEUMBIGA1UEBxMLUmljaHRlcnN3aWwxFTAT BgNVBAoTDFdpc2xpIEFtIFNlZTETMBEGA1UECxMKSW5mb3JtYXRpazEkMCIGA1UE AxMbd3N2cy1leDAyLmludC53aXNsaWFtc2VlLmNoMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAunATwbhbdBelKgwlPHY75mlfhbt4ZMQiLG6SGYB/TKRx JKq3qw8AJ7XUUpmrmHglxglIxE77IFox1gC2HH6oVII5NiBEflQUBbMdlQSNQjdy LmosXfy5cCNouAbN7pJ2obf8JknTu6WLq7JLKVSOQga+gwb1ELMiGG5wNxFKDOss QEZNc8qGypsU59bysakaF2q9fyuJxkv2c4/5I1ZxgiC1hyBfM9YyWZ3mexRhvXms m6ivHVEOoXCMXIi5a9zaQCMQuxIgdWdnUrDXpcmST0NR33L41Imlu9CBKFw/mTs6 VMKQclve/q4NB7eDHy0f4NYibd8uAPIWB9VDsaKLRQIDAQABo4IDBjCCAwIwDgYD VR0PAQH/BAQDAgWgMB0GA1UdDgQWBBRO0u6e11CokEqvcpZ0II89BtpWWTCBkQYD VR0RBIGJMIGGght3c3ZzLWV4MDIuaW50Lndpc2xpYW1zZWUuY2iCHkF1dG9EaXNj b3Zlci5pbnQud2lzbGlhbXNlZS5jaIIaQXV0b0Rpc2NvdmVyLndpc2xpYW1zZWUu Y2iCCVdTVlMtRVgwMoIRaW50Lndpc2xpYW1zZWUuY2iCDXdpc2xpYW1zZWUuY2gw HwYDVR0jBBgwFoAU9oAHGV2Kkbn6WuLzv6a5074iV1cwgdoGA1UdHwSB0jCBzzCB zKCByaCBxoaBw2xkYXA6Ly8vQ049aW50LXdpc2xpYW1zZWUtQ0EsQ049V1NWUy1X VTAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNl cyxDTj1Db25maWd1cmF0aW9uLERDPWludCxEQz13aXNsaWFtc2VlLERDPWNoP2Nl cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0 cmlidXRpb25Qb2ludDCBzAYIKwYBBQUHAQEEgb8wgbwwgbkGCCsGAQUFBzAChoGs bGRhcDovLy9DTj1pbnQtd2lzbGlhbXNlZS1DQSxDTj1BSUEsQ049UHVibGljJTIw S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1p bnQsREM9d2lzbGlhbXNlZSxEQz1jaD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0 Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA+BgkrBgEEAYI3FQcEMTAvBicr BgEEAYI3FQiEkdoGhuCIcIGFmSSEk70zgcOAe4Fph5XfS4TP3icCAWQCAQUwEwYD VR0lBAwwCgYIKwYBBQUHAwEwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDATAN BgkqhkiG9w0BAQsFAAOCAgEAeW3UJ0B40Y0GG0D1+v/h5K2rLLjdQ/THYqYsIz4N 0m/S1ijiKVrJg6tD5sOD+mhoGr/RQTOPJzHow7auhf3LoZ/QDengunxZ+02/zTdM p3rxutwGr6vpmZ8Xqm3n5pJPKnFDQt3vtc7VbBuX7yzq2yIt9UMpf9SC0HGsiL3T zDp6LyDVunM79HaFuCLOX8qMFm9aMxJbCwEwEPrQFI4r9xqcOpszayQxZi07AmOs eoch+RyjWqKzoD50tXjHnGRa7rkP4qbtf48jqc9kdjt/Ci2/SN59RCMEFXbmTF8V MqxQ6MvSAbClIGXzd5TfuPMKrSazAacNtjkpjMFDAslurpkQKTim918op2BAcLJH kcgVXlEVBXvTPDJM0Z7UsuuMq+vy2dEjjoD5CmPmHDXJnnr9d5OQVZaS7QIKQV+K 0IKfmb3i8WroRbnJFgxF26Kr5T3BW32kRHOQSVDpFqiaadY01j+nHMMbKv3YQDGb VplhxLHZhi+rI8jynRKkMVrbfKR/FgvMQvtpDMJ7WRcV6j3lLdaqWg9z3w1iR2ta 45mouk+J2n4DMOJosyWIcdF84eebGSucmu5SoFkKEXZV+OWmAe2p/wdmTN5pvGfy e4OBXeC8XRnY6BdR0Qgg8bk1r4u4Bly/ITn1c+p1LQKMVdqCSWSAcBmAyIAFM7zG SNo= -----END CERTIFICATE-----
--- Server certificate subject=C = CH, ST = Z\C3\BCrich, L = Richterswil, O = Wisli Am See, OU = Informatik, CN = server.ch
issuer=DC = ch, DC = wisliamsee, DC = int, CN = int-wisliamsee-CA
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 2442 bytes and written 451 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 7C3500005C092BAF384569A2EF61EE37099BF0158441A5F09B81C878B2E2971E Session-ID-ctx: Master-Key: B226822F9899A655C27521A76F8E952B5E81F048E375F3ACC021D983868DB98DF8A571256B97533765A9C9A7F40BB7E6 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1666602175 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes
- OK The Microsoft Exchange IMAP4 service is ready.
Both the self signed CA and the server certificate are installed in computer certificate: Windows Computer Certificates, installed selfsigned root
Server certificate including root installed in Trusted Publishers
I have tried to delete all existing certificates related to the server in the store, then get the certificate via openssl(with -connect and -showcerts) and save it again to make sure there is no old or faulty certificate in the store. Same result. I also tried to get the certificate again from the target server again and reinstall it, same result.
Why does it return code 21 even though the certificate is in trusted root certificates?
