$ openssl s_client --starttls smtp -connect reportbug.debian.org:587 CONNECTED(00000003) depth=0 C = NA, ST = NA, L = Ankh Morpork, O = Debian SMTP, OU = Debian SMTP CA, CN = buxtehude.debian.org, emailAddress = hostmas...@buxtehude.debian.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = NA, ST = NA, L = Ankh Morpork, O = Debian SMTP, OU = Debian SMTP CA, CN = buxtehude.debian.org, emailAddress = hostmas...@buxtehude.debian.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP CA/CN=buxtehude.debian.org/emailAddress=hostmas...@buxtehude.debian.org i:/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP CA/CN=Debian SMTP CA/emailAddress=hostmas...@puppet.debian.org --- Server certificate -----BEGIN CERTIFICATE----- MIIFOjCCBCKgAwIBAgICDvwwDQYJKoZIhvcNAQEFBQAwgaYxCzAJBgNVBAYTAk5B MQswCQYDVQQIEwJOQTEVMBMGA1UEBxMMQW5raCBNb3Jwb3JrMRQwEgYDVQQKEwtE ZWJpYW4gU01UUDEXMBUGA1UECxMORGViaWFuIFNNVFAgQ0ExFzAVBgNVBAMTDkRl YmlhbiBTTVRQIENBMSswKQYJKoZIhvcNAQkBFhxob3N0bWFzdGVyQHB1cHBldC5k ZWJpYW4ub3JnMB4XDTE3MTIxMjAwMDAxMVoXDTE4MTIxMjAwMDAxMVowga8xCzAJ BgNVBAYTAk5BMQswCQYDVQQIEwJOQTEVMBMGA1UEBxMMQW5raCBNb3Jwb3JrMRQw EgYDVQQKEwtEZWJpYW4gU01UUDEXMBUGA1UECxMORGViaWFuIFNNVFAgQ0ExHTAb BgNVBAMTFGJ1eHRlaHVkZS5kZWJpYW4ub3JnMS4wLAYJKoZIhvcNAQkBFh9ob3N0 bWFzdGVyQGJ1eHRlaHVkZS5kZWJpYW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAovy58Ske6mkx4bSCaS34lJ4FCorDU6H6oNEWlgNVTzH1xYA5 3wvMScSqvbRYPK8B0VSPD5/G+4dfj9XBGbHdHsS7nWHutrwyNUL6cTl2CBvUwAzP EQj5d3JLL0aa8VLZshH3BTKBuWx8TR983zDTb6+yKivvr1HcqSyeqeAZ3H3w4sb1 4SIXUDn65hoyoODgEWZWt8Xs8PTk1T37evp5QnabdX91bmN6UIkRPzJWuVNTPKtY xMVhIlHmhS+btvI7s8DI2XwOTMt5kLUq58XWr1OmIqpOBjASLn6ExChh1eXnPtcf vhzoFLKd8L+MVAb21qf1tkMn3ZeYls2345TcaQIDAQABo4IBZTCCAWEwCQYDVR0T BAIwADARBglghkgBhvhCAQEEBAMCBkAwIgYJYIZIAYb4QgENBBUWE0RlYmlhbiBT TVRQIENBIGNlcnQwHQYDVR0OBBYEFOCPtMQWehUMfn1FDZ4RoyDKg838MIHbBgNV HSMEgdMwgdCAFF9qbFIB0eabRXjptXlBG7eAytjGoYGspIGpMIGmMQswCQYDVQQG EwJOQTELMAkGA1UECBMCTkExFTATBgNVBAcTDEFua2ggTW9ycG9yazEUMBIGA1UE ChMLRGViaWFuIFNNVFAxFzAVBgNVBAsTDkRlYmlhbiBTTVRQIENBMRcwFQYDVQQD Ew5EZWJpYW4gU01UUCBDQTErMCkGCSqGSIb3DQEJARYcaG9zdG1hc3RlckBwdXBw ZXQuZGViaWFuLm9yZ4IJAPYIE0pJ99rTMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsG A1UdDwQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAolkEmpsPbJ7uu6noZ0uEZMI2 LnJTEJtFdXxcNFGLmC5XswksXD819v3ZvETVET52tRDD151avY2FqBrqamwEtyVp 1AnGfbmjhPFmjDlJfEtTb5/5s8Rmk75ySYdF/bMnufGb2IedbFdx5/rlNXl7ZQK/ /Nm7sI8MtsNpcdOBg6Sr9efrmk0BUUUrxMPxGhTsegEwYddgdKVqBiQiw6oot1bk vH5/mVkxtUJmUrdSNoPlVnOWitUJqCXARqA8VA3zOvoOZJ7HMq2M/zPDn72NBJrx WFX4EkUqvwzloM7JDJ7aH1/xG2+Bgr0JMQ9X4VOE8fdY43gWC/GdrRY1iFhb5g== -----END CERTIFICATE----- subject=/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP CA/CN=buxtehude.debian.org/emailAddress=hostmas...@buxtehude.debian.org issuer=/C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP CA/CN=Debian SMTP CA/emailAddress=hostmas...@puppet.debian.org --- Acceptable client certificate CA names /C=NA/ST=NA/L=Ankh Morpork/O=Debian SMTP/OU=Debian SMTP CA/CN=Debian SMTP CA/emailAddress=hostmas...@puppet.debian.org Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2282 bytes and written 347 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 7E3BBFDAE6C0616D76239C40803DB81092DCA2E86842377C3A122A649F47D189 Session-ID-ctx: Master-Key: 2E1E1A68F43A38EDE8A4B67E82BA3C63D1551E6CF5F78F3F81F8F705418F7B7FF4A223088DF687D219CE12B283FEE0F9 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1530560544 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes --- 250 HELP quit 221 buxtehude.debian.org closing connection closed