私はかなり標準的なインストールを持っていますサフィックスそしてピジョンロフトUbuntu 12.10で。独自の証明書を生成して署名しました。cacert.org。
証明書の作成プロセスは次のとおりです。
openssl genrsa -out mail.myhostname.key 4096
openssl req -new -key mail.myhostname.key -out mail.myhostname.csr
wget http://www.cacert.org/certs/root.txt
sudo cp root.txt /etc/ssl/certs/cacert.crt
# here Submitting the CSR to CAcert takes place
# placing result certificate from CAcert into /etc/postfix/ssl/mail.myhostname.crt
これは私のロフト構成ですsudo cat /etc/dovecot/conf.d/10-ssl.conf
。
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/postfix/ssl/mail.myhostname.crt
ssl_key = </etc/postfix/ssl/mail.myhostname.key
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
ssl_ca = </etc/postfix/ssl/cacert.crt
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
独自の証明書を設定するまで、Outlookを正しく機能させることはできません(いくつかの注意事項があるにもかかわらず)。 Thunderbirdよりも敏感な「Microsoft Mail」とOutlookにいくつかの問題がある可能性があると聞きましたが、問題ではありません。
クライアントプログラム画面:
これは splunk source="/var/log/mail.log" のヘッダーであり、問題を示しています。
6/6/15
12:20:34.000 AM
Jun 6 00:20:34 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.2XX.XXX, lip=37.23X.XX.XXX
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:34.000 AM
Jun 6 00:20:34 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.2XX.XXX, lip=37.23X.XX.XXX, TLS handshaking: Disconnected
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:34.000 AM
Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:34.000 AM
Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:34.000 AM
Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:34.000 AM
Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:34.000 AM
Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:34.000 AM
Jun 6 00:20:34 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:33.000 AM
Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:33.000 AM
Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:33.000 AM
Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:33.000 AM
Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:33.000 AM
Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
12:20:33.000 AM
Jun 6 00:20:33 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.2XX.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
以下はopensslテストの結果ですopenssl s_client -connect mail.myhostname:995
。
CONNECTED(00000003)
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = [email protected]
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=*.myhostname
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected]
1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected]
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
some certificate info..
-----END CERTIFICATE-----
subject=/CN=*.myhostname
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 4548 bytes and written 487 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 4EE9B3ED672B5989A52B5338C6173E5C525080C1D46D37A327E501ED70A73625
Session-ID-ctx:
Master-Key: 5DD1ED05C32F5B0FE07F20FDEEE80D622D6873CE7E9D954F4CC6644ED0E86A6A30603A387651135D6F7CA792F2377901
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 4e 3f 50 2c 3f 61 47 9f-f0 61 b4 26 31 ce 2c 9f N?P,?aG..a.&1.,.
0010 - ce 83 1b b5 20 88 45 a9-71 cd 35 29 3e 4b 5c 29 .... .E.q.5)>K\)
0020 - d8 31 e0 3f 47 2b d3 05-d3 73 62 78 ac a9 91 f8 .1.?G+...sbx....
0030 - 51 89 b5 cd 20 2a 92 7a-68 8f d7 ae 01 10 46 df Q... *.zh.....F.
0040 - 35 c9 4b 50 86 1a 1b bc-5f 66 b9 29 7a bd 41 be 5.KP...._f.)z.A.
0050 - a0 76 ba e3 95 2c 85 ef-cd 21 c5 be ee c1 4b e3 .v...,...!....K.
0060 - c7 9e e3 8a 63 6d a6 cb-9f be 25 d5 b6 61 c0 27 ....cm....%..a.'
0070 - b5 09 46 e5 79 e0 34 6f-8d 6b db 96 17 40 18 ea ..F.y.4o.k...@..
0080 - 25 c2 b0 12 96 20 1a 25-e1 7a 22 3e 74 6c 9e e8 %.... .%.z">tl..
0090 - 61 f0 24 e7 5f 8a 5d e1-ab 43 c0 a7 74 43 09 cf a.$._.]..C..tC..
Start Time: 1433543614
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
+OK The greatest mail program is ready
私は理解できません。検証エラー:num = 19:証明書チェーンに自己署名証明書があります。部分。信頼できるCAcert機関を使用している場合、自己署名はどうなりますか?
私のサーバーはまだ脆弱であるため、IPとホスト名を確認しました。
別のものがありますスタックDovecotの証明書(リンクにあります)http://wiki2.dovecot.org/SSL/Dovecot構成)。表に次の順序を示します。
Dovecotの公開証明書- これは何ですか?
TDC SSLサーバーCA- これがcacertから受け取った公開鍵ですか?
TDCインターネットルートCAcacertのルートですか?
グローバルサインパートナーCA- これは何ですか?
現在は/etc/postfix/ssl/cacert.crt
CAcertルートのみがあります。
これは問題を引き起こし、TLSハンドシェイクを防ぐことができますか?
修正する:
MailはThunderbirdと連携しますが、ユーザーは証明書を受け入れる必要があります。これは望ましくない動作です。 cacert.orgから証明書を受け取ったときに予期しなかったことです。
splunkからのログ:
6/6/15
1:38:43.000 AM
Jun 6 01:38:43 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:43.000 AM
Jun 6 01:38:43 myhostname dovecot: imap([email protected]): Disconnected: Logged out bytes=8/328
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=89.77.22X.XXX, lip=37.233.XX.XXX, mpid=13141, TLS
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: auth-worker: mysql(localhost): Connected to database postfix
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:41.000 AM
Jun 6 01:38:41 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Disconnected (no auth attempts): rip=89.77.22X.XXX, lip=37.233.XX.XXX, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=560: fatal unknown CA [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x20, ret=1: SSL negotiation finished successfully [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write finished A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read finished A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 flush data [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server done A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write certificate A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 write server hello A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: SSLv3 read client hello A [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: unknown state [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [89.77.22X.XXX]
host = myhostname
source = /var/log/mail.log
sourcetype = postfix_syslog
6/6/15
1:38:08.000 AM
Jun 6 01:38:08 myhostname dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [89.77.22X.XXX]
ベストアンサー1
独自の証明書を生成し、cacert.orgで署名しました。
cacert.orgは現在、主要なオペレーティングシステムから信頼されていません。 Debianにも存在していましたが削除されました。一部の* BSDにはまだ存在する可能性があります。 Windows、Android、Mac OSなど、どのブラウザもこのCAを信頼していないことは注目に値します。
検証エラーがわかりません。 num = 19:証明書チェーンセクションに自己署名証明書があります。信頼できるCAcert機関を使用している場合、自己署名はどうなりますか?
cacert をローカルにインストールしても、デフォルトではopenssl s_client
CA が検証に使用されないため、すべてを信頼できません。そして提供された出力にはとにかく無効なルート証明書が含まれています。信頼できるルートはすでにシステムにローカルである必要があるため、チェーンのルート証明書は無視されます。