I am having the same problem with apis.live.net:443. I am running Debian stable with ca-certificates 20141019+deb8u1.
Thanks. -nandhp $ openssl s_client -connect apis.live.net:443 CONNECTED(00000003) depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=storage.live.com i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root --- Server certificate [...] subject=/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=storage.live.com issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 --- No client certificate CA names sent --- SSL handshake has read 6828 bytes and written 509 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: [...] Session-ID-ctx: Master-Key: [...] Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1454865834 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- ^C On Thu, 28 Jan 2016 16:44:09 +0100 Peter Dahlberg <catd...@tuxzone.org> wrote: > Hi, > > There seems to be a similar looking issue because of the removed "GTE > CyberTrust Global Root". > > jessie: > > $ openssl s_client -connect pictureis24-a.akamaihd.net:443 > CONNECTED(00000003) > depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net > i:/C=NL/L=Amsterdam/O=Verizon Enterprise > Solutions/OU=Cybertrust/CN=Verizon > Akamai SureServer CA G14-SHA2 > 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise > Solutions/OU=Cybertrust/CN=Verizon > Akamai SureServer CA G14-SHA2 > i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE > CyberTrust Global Root > --- > > testing: > > % openssl s_client -connect pictureis24-a.akamaihd.net:443 > CONNECTED(00000003) > depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root > verify return:1 > depth=1 C = NL, L = Amsterdam, O = Verizon Enterprise Solutions, OU = > Cybertrust, CN = Verizon Akamai SureServer CA G14-SHA2 > verify return:1 > depth=0 C = US, ST = MA, L = Cambridge, O = Akamai Technologies Inc., CN = > a248.e.akamai.net > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net > i:/C=NL/L=Amsterdam/O=Verizon Enterprise > Solutions/OU=Cybertrust/CN=Verizon > Akamai SureServer CA G14-SHA2 > 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise > Solutions/OU=Cybertrust/CN=Verizon > Akamai SureServer CA G14-SHA2 > i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE > CyberTrust Global Root > --- > > Kind regards, > Peter > > >