某些不受信任的Globalsign根证书[关闭]

Question

我已经挠头了几个小时，现在我感到迷失了。所以请原谅以下内容只是愚蠢的事情。

从今天起，我无法从笔记本电脑验证Globalsign的CA证书（正在运行最新更新的Debian测试）：

$ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect valid.e46.roots.globalsign.com:443 CONNECTED(00000003) depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign ECC EV SSL CA 2019 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 businessCategory = Private Organization, serialNumber = 578611, jurisdictionC = US, jurisdictionST = New Hampshire, C = US, ST = New Hampshire, L = Portsmouth, street = "2 International Drive, Suite 150", OU = GlobalSign Root E46, O = "GMO GlobalSign, Inc.", CN = valid.e46.roots.globalsign.com verify return:1 --- Certificate chain 0 s:businessCategory = Private Organization, serialNumber = 578611, jurisdictionC = US, jurisdictionST = New Hampshire, C = US, ST = New Hampshire, L = Portsmouth, street = "2 International Drive, Suite 150", OU = GlobalSign Root E46, O = "GMO GlobalSign, Inc.", CN = valid.e46.roots.globalsign.com i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign ECC EV SSL CA 2019 -----BEGIN CERTIFICATE----- MIIEcDCCA/agAwIBAgIMWIK2JcvVAhe2nNZzMAoGCCqGSM49BAMDMFAxCzAJBgNV BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1HbG9i YWxTaWduIEVDQyBFViBTU0wgQ0EgMjAxOTAeFw0xOTEwMTgxMTUxMDNaFw0yMTEw MTgxMTUxMDNaMIIBMDEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xDzAN BgNVBAUTBjU3ODYxMTETMBEGCysGAQQBgjc8AgEDEwJVUzEeMBwGCysGAQQBgjc8 AgECEw1OZXcgSGFtcHNoaXJlMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTmV3IEhh bXBzaGlyZTETMBEGA1UEBxMKUG9ydHNtb3V0aDEpMCcGA1UECRMgMiBJbnRlcm5h dGlvbmFsIERyaXZlLCBTdWl0ZSAxNTAxHDAaBgNVBAsTE0dsb2JhbFNpZ24gUm9v dCBFNDYxHTAbBgNVBAoTFEdNTyBHbG9iYWxTaWduLCBJbmMuMScwJQYDVQQDEx52 YWxpZC5lNDYucm9vdHMuZ2xvYmFsc2lnbi5jb20wWTATBgcqhkjOPQIBBggqhkjO PQMBBwNCAAQ0UkXb74tcr41eQG59k81DEg6o57NqygfNmmvYOiVAhXEM+u6bdKpO /r7U9PMNaSzF1OO8jceiGiVuLHwdS2vBo4IB0jCCAc4wDgYDVR0PAQH/BAQDAgOI MIGOBggrBgEFBQcBAQSBgTB/MEQGCCsGAQUFBzAChjhodHRwOi8vc2VjdXJlLmds b2JhbHNpZ24uY29tL2NhY2VydC9nc2VjY2V2c3NsY2EyMDE5LmNydDA3BggrBgEF BQcwAYYraHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NlY2NldnNzbGNhMjAx OTBVBgNVHSAETjBMMEEGCSsGAQQBoDIBATA0MDIGCCsGAQUFBwIBFiZodHRwczov L3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAHBgVngQwBATAJBgNVHRME AjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20v Z3NlY2NldnNzbGNhMjAxOS5jcmwwKQYDVR0RBCIwIIIedmFsaWQuZTQ2LnJvb3Rz Lmdsb2JhbHNpZ24uY29tMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAf BgNVHSMEGDAWgBT57IHJkKMEPHyk7EXJVqjiyt/JZDAdBgNVHQ4EFgQUy85llfuD nRFCw5TiP7vP5OIIF6UwCgYIKoZIzj0EAwMDaAAwZQIwDdJLfr5YpbtXDqu8jhfj 67GHRtTj2HuIbqw7bvxXHlebmOzuZ/sfUzqS+EArtZQaAjEAqAghZe2p0WDTlHje kb15VyXK5x1H77MMOe503Lq34TIrxmhJXwwKLJQTjp8CPCE7 -----END CERTIFICATE----- 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign ECC EV SSL CA 2019 i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root E46 -----BEGIN CERTIFICATE----- MIIDJzCCAq2gAwIBAgISEdccJIaHkGp/hWS8eBD9S1/DMAoGCCqGSM49BAMDMEYx CzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYDVQQD ExNHbG9iYWxTaWduIFJvb3QgRTQ2MB4XDTE5MDQxMDAwMDAwMFoXDTI5MDQxMDAw MDAwMFowUDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2Ex JjAkBgNVBAMTHUdsb2JhbFNpZ24gRUNDIEVWIFNTTCBDQSAyMDE5MHYwEAYHKoZI zj0CAQYFK4EEACIDYgAEHVogGXLAUhwlFyGi5yJfH41TETKa0cWv5UKpp7VWfFWB Lcp+l4wBh1fOzBselOaZy90zAp91BeJ9ex11REh9v8hKIMXi3s886Wt85SRgUJjR M2aq/6tG5k7eY7bBJmnJo4IBUjCCAU4wDgYDVR0PAQH/BAQDAgGGMCcGA1UdJQQg MB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwkwEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQU+eyByZCjBDx8pOxFyVao4srfyWQwHwYDVR0jBBgwFoAU MQqQj7bGndJES4C1ouYfsRJPG5UwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzAB hiJodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290ZTQ2MDYGA1UdHwQvMC0w K6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdGU0Ni5jcmwwRwYD VR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2Jh bHNpZ24uY29tL3JlcG9zaXRvcnkvMAoGCCqGSM49BAMDA2gAMGUCMQCOioz2MWKm UZgoN+vJYTa8E60SQ+q21j5qOWP9mRe/jYzEj6PmwKlMSsxkbL3+OwUCMH7T2Vh3 CmZvvhnSSuX6zmZBqu/Yw5a4r3i+4t5rTI4DDTInmynTGC26PX442LCwaQ== -----END CERTIFICATE----- --- Server certificate subject=businessCategory = Private Organization, serialNumber = 578611, jurisdictionC = US, jurisdictionST = New Hampshire, C = US, ST = New Hampshire, L = Portsmouth, street = "2 International Drive, Suite 150", OU = GlobalSign Root E46, O = "GMO GlobalSign, Inc.", CN = valid.e46.roots.globalsign.com issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign ECC EV SSL CA 2019 --- No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: ECDSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2459 bytes and written 448 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 Session-ID: EABA76D338C855764721D5FB2CACB43CB53BA165FABFEA38BDF344FDD66581E6 Session-ID-ctx: Master-Key: 2B9710AF9C83796DB5DB038D4BEBD972C4FE5035B916BDA19A38F18E11E5E20538A5DF168A33A45E6A7BF459F86B5C6F PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 2e cd ae 74 5a 21 9d 2d-7f 39 34 48 be d7 d1 ce ...tZ!.-.94H.... 0010 - 61 5a b5 20 13 ab 68 27-80 70 09 f4 c7 4c 0d e9 aZ. ..h'.p...L.. 0020 - 53 e1 96 ba 16 fb 67 df-60 2a fc c9 d9 bd e8 26 S.....g.`*.....& 0030 - 5d f4 f3 b1 cd c1 86 18-3a 60 72 c6 74 3c fd af ].......:`r.t<.. 0040 - d4 8b 5c fc 3f f3 8b 43-e5 31 33 9d af c3 4d 45 ..\.?..C.13...ME 0050 - b8 9e a1 d5 6f 64 61 67-83 1f 90 16 72 9a f2 0c ....odag....r... 0060 - 0e be ae a2 d6 c9 98 39-9d be 33 12 7f 8d 2d 3c .......9..3...-< 0070 - 69 85 e9 ca 9b 4d 14 2a-ce 85 90 84 67 d7 25 ff i....M.*....g.%. 0080 - 25 1b a2 a2 ee 87 01 34-14 10 fe a5 39 c7 e0 65 %......4....9..e 0090 - 1d 4b 54 c2 c7 b8 1f 6d-4e 10 c5 ee 4a b6 c5 72 .KT....mN...J..r 00a0 - ff 8a 98 64 bc be 4d 60-9c 3c aa 26 25 75 43 11 ...d..M`.<.&%uC. 00b0 - 71 46 54 b9 d3 49 8b 8b-7d d7 0e 04 00 cb 2f fd qFT..I......./. Start Time: 1581068808 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: no ---

[请注意，我在此URL上列出的另一个问题也有类似的问题：https://support.globalsign.com/customer/portal/articles/1426602-globalsign-root-certificates

$ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect valid.r46.roots.globalsign.com:443 CONNECTED(00000003) depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA EV SSL CA 2019 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 businessCategory = Private Organization, serialNumber = 578611, jurisdictionC = US, jurisdictionST = New Hampshire, C = US, ST = New Hampshire, L = Portsmouth, street = "2 International Drive, Suite 150", OU = GlobalSign Root R46, O = GMO GlobalSign Inc., CN = valid.r46.roots.globalsign.com verify return:1 --- Certificate chain 0 s:businessCategory = Private Organization, serialNumber = 578611, jurisdictionC = US, jurisdictionST = New Hampshire, C = US, ST = New Hampshire, L = Portsmouth, street = "2 International Drive, Suite 150", OU = GlobalSign Root R46, O = GMO GlobalSign Inc., CN = valid.r46.roots.globalsign.com i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA EV SSL CA 2019 -----BEGIN CERTIFICATE----- MIIF2zCCBMOgAwIBAgIMCJ8UNBO7hjMjbD1PMA0GCSqGSIb3DQEBDAUAMFAxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H bG9iYWxTaWduIFJTQSBFViBTU0wgQ0EgMjAxOTAeFw0xOTEwMjUxNTQ2MDJaFw0y MTEwMjUxNTQ2MDJaMIIBLzEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24x DzANBgNVBAUTBjU3ODYxMTETMBEGCysGAQQBgjc8AgEDEwJVUzEeMBwGCysGAQQB gjc8AgECEw1OZXcgSGFtcHNoaXJlMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTmV3 IEhhbXBzaGlyZTETMBEGA1UEBxMKUG9ydHNtb3V0aDEpMCcGA1UECRMgMiBJbnRl cm5hdGlvbmFsIERyaXZlLCBTdWl0ZSAxNTAxHDAaBgNVBAsTE0dsb2JhbFNpZ24g Um9vdCBSNDYxHDAaBgNVBAoTE0dNTyBHbG9iYWxTaWduIEluYy4xJzAlBgNVBAMT HnZhbGlkLnI0Ni5yb290cy5nbG9iYWxzaWduLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMSZFFoEtJczp5seAFVp5qr51z1q9k+eqBYaqEV1CTXa voJXRKN9mb9Yp/+pDbgVoRd1+tCWgUpGZ+vVawpbSB85rGo1KAB67WCLqrHux0Fy BrNyuroN7Ug2haV692BKq7UCVQwIzGIg24AGEx5Ct/YvhNQbjx5F0uFaZfOkoe+u 3zDbZLI1jP0aE9BSZmG7X9dsMxJBYg6PgFDY2638siQGyDOj/O9Hr5MyKBug0YeH oFVZ0m1VdnmREgrrxGaCYvPl2E62Esn8JVZAIyVngw5ciZ9+jW/jIrN3FmJ0OHv+ MqjuR7WJLVUR5ZuJKpiUgueUNJJLpLOSmYrr+J5IYF8CAwEAAaOCAdIwggHOMA4G A1UdDwEB/wQEAwIFoDCBjgYIKwYBBQUHAQEEgYEwfzBEBggrBgEFBQcwAoY4aHR0 cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nyc2FldnNzbGNhMjAx OS5jcnQwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dz cnNhZXZzc2xjYTIwMTkwVQYDVR0gBE4wTDBBBgkrBgEEAaAyAQEwNDAyBggrBgEF BQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wBwYF Z4EMAQEwCQYDVR0TBAIwADA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLmds b2JhbHNpZ24uY29tL2dzcnNhZXZzc2xjYTIwMTkuY3JsMCkGA1UdEQQiMCCCHnZh bGlkLnI0Ni5yb290cy5nbG9iYWxzaWduLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUvPSDa2pTbBcFvdS/DLMW8Q9jxd8wHQYD VR0OBBYEFIZhqySmWivuAdMUYMx7rbn0cnILMA0GCSqGSIb3DQEBDAUAA4IBAQBa DEA15voA0urX9Y4iDSRJihkLa5l2vtXqhiBBPdXOu+y8vt4yR7f0l/to0/PQ6jwc EOdq+MPW9Eex5XwzTMc98+nGthd/WkZWXhWIW7V9XSR/UH69c2oD4uaiqJa66rXy QBKn7CVE2DEr7eM9kmViv4MNTmpYJ1ktcGSHRLDOGXav9ubhqzIds4ugBqyS3LSs hcQ3esAYH5I1YulTwwQyUyJzMhd9XkdkxHX2kIbIRJH+qrXzdw2ZbhVu9R0Dv4bq SHh4ELhuX9BcFqEuJZ7AQHAlKLUf6bQWWLiJHdrZICIv3yQjn6f0feWl0RgjKALV CFGbuPvzokEbaJfmfbhi -----END CERTIFICATE----- 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA EV SSL CA 2019 i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Root R46 -----BEGIN CERTIFICATE----- MIIFdjCCA16gAwIBAgISEdccItot5O/ZQ0miQN9opU7NMA0GCSqGSIb3DQEBDAUA MEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYD VQQDExNHbG9iYWxTaWduIFJvb3QgUjQ2MB4XDTE5MDQxMDAwMDAwMFoXDTI5MDQx MDAwMDAwMFowUDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt c2ExJjAkBgNVBAMTHUdsb2JhbFNpZ24gUlNBIEVWIFNTTCBDQSAyMDE5MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3K/77sbTv3nDfJaNEqXSW/0guYdK WoDtFrhnPL35ce8NEZkt2BzXAymneHBneMOUzTKUNJPa8uDFDLbmRmpIixs4IEFZ Ab6fW0I5UQe62EGXgn6j7Y+hXmiosLsTjLojfAI3NuMnCEhhuk/teuCfnVntIt4V ZjIB5dCG6asNKctVE95EP01jRbKLm57UtHaTiC3jRmcstu46BY45WottN9m2QFDd CsIvixEo3opBPTlsN4Q2dvu2PIb/JG7tRQISC9wzkkpWxCJlJaHboo83FMPJWgGN 3vi8vInAd7ETYWhc8meCZYpBczSrmXyg+eB2aJujfcQ1fQ0amsghsPDjLwIDAQAB o4IBUjCCAU4wDgYDVR0PAQH/BAQDAgGGMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggr BgEFBQcDAgYIKwYBBQUHAwkwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU vPSDa2pTbBcFvdS/DLMW8Q9jxd8wHwYDVR0jBBgwFoAUA1yrc4GHqMywptWU4jaW Sf8FmSwwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5n bG9iYWxzaWduLmNvbS9yb290cjQ2MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9j cmwuZ2xvYmFsc2lnbi5jb20vcm9vdHI0Ni5jcmwwRwYDVR0gBEAwPjA8BgRVHSAA MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9z aXRvcnkvMA0GCSqGSIb3DQEBDAUAA4ICAQAMK1VlNp9F9wsWpKduIzL68Epd5Nt8 x0xLJtbfQ/mZAHosQPU1uNEGCondbzln4Evk//wOjuMyzrOqf5H6MiTfEVd6NnA6 KoQWpu/FzqFwUv3igfqPUCV+5w7LJ4+fj0IMk8eaA3/jiUtvOM5+JTVUYMO7f4O2 R64Uav7a1t7NOqUiyvREZfkOJVY6xeaJEtl8P+u8x/KOL17wPvBcx1NUXFKQbt/q 8cPaHopfg6YIG8aCWSzd5GqohDWxercMsgx4itSyBSR/qqbtuBOefYsSg8zZeuSA S5yC3WQnu0Me5/6zgYq1j71S/7kl3xSGtk2RSX9IjJGywN8889ccqMXhk20NeG4Q P1YvqZuV7etCVNlBjp/px0L5Ye0HyjlE5iLz/jA9PJtU12hMkXHIKniag/4aoAKF uMQ9TFTR6uSKgbRUeraIBpwFJPV/UrzcAzNVJV/s5FyGWKGgchU6pWYEtLUdoQBA pOd66zSMIijTdbsJB/Gn5rOYhPO8Kky7kXK6kFxnwpBcsWf16QWsBJO4kfTlz677 VhJ9X3/t3HRWxZNDLUWTMZ9stHgGkh6JsoSilORnkGV/lBsYCswO5dRz2E4bYG7t R9GBZm8arzz+gSxRQuYli7KDimeW2eZHaOGYjRo6JrJDbVHXZ3RaxnxfJEINVqtD wuGRB4GCvjdeDg== -----END CERTIFICATE----- --- Server certificate subject=businessCategory = Private Organization, serialNumber = 578611, jurisdictionC = US, jurisdictionST = New Hampshire, C = US, ST = New Hampshire, L = Portsmouth, street = "2 International Drive, Suite 150", OU = GlobalSign Root R46, O = GMO GlobalSign Inc., CN = valid.r46.roots.globalsign.com issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA EV SSL CA 2019 --- No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3598 bytes and written 448 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 639F1B51D0D2F7C29A06162F28BFC731FD519A9BD0845FD0AD1DEEF79DE18AD2 Session-ID-ctx: Master-Key: 610F8181903E5A671945F20FE0AA43538D26EFBF61CCFF4B7B4969CB3BE7EE99C5D47AF7603AEDEDA54E060CB2680367 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 2e cd ae 74 5a 21 9d 2d-7f 39 34 48 be d7 d1 ce ...tZ!.-.94H.... 0010 - 14 5f 3e 40 2b 34 25 68-7e 43 eb 98 b8 78 c2 1f ._>@+4%h~C...x.. 0020 - de 17 52 3d 05 ba e3 9e-d4 7b a8 5d 7b 23 27 c9 ..R=......]#'. 0030 - 80 83 88 52 d4 7b 88 55-89 79 ff 57 80 92 3c ce ...R..U.y.W..<. 0040 - 49 ed 0e d3 98 f0 e5 dd-82 0c de 06 43 98 32 e7 I...........C.2. 0050 - f0 31 b9 00 b8 d4 95 dd-7f 41 06 eb 95 7c 33 70 .1.......A...|3p 0060 - 01 ca 97 69 b3 35 ef 84-75 c7 f3 ef 64 21 78 87 ...i.5..u...d!x. 0070 - 96 82 c6 b9 0d 04 f3 f8-df 0f 56 f9 f7 50 94 45 ..........V..P.E 0080 - 1f 20 98 b7 a1 0f 2d 62-57 7b 60 c2 b2 9c ed 26 . ....-bW`....& 0090 - db c9 22 46 0b d1 a5 57-07 0f cb 66 76 e4 98 53 .."F...W...fv..S 00a0 - 34 11 32 f6 aa fd 34 b8-43 8b f7 b2 d1 d4 c9 c4 4.2...4.C....... 00b0 - f5 f6 b8 0b d7 33 3d 46-c5 53 09 2c 72 c1 01 95 .....3=F.S.,r... Start Time: 1581069216 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: no ---

软件包ca-certificates保持最新状态：$ dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name            Version      Architecture Description
+++-===============-============-============-=================================
ii  ca-certificates 20190110     all          Common CA certificates

任何可能的原因的线索？