(*) Follow-up-to

It's not easy to decide where I should ask a FreeBSD group or sendmail
one. I'm posting to both, but suggesting a follow-up-to
comp.mail.sendmail.

(*) Question

I'm particularly interested---due to curiosity and my education on the
subject---in the following sendmail message in maillog:

--8<-------------------------------------------------------->8---
Nov 12 08:27:39 antartida sm-mta[72775]: STARTTLS=client, cert-subject=/CN=mx.google.com, cert-issuer=/C=US/O=Google+20Trust+20Services/CN=WR2, verifymsg=unable to get issuer certificate
--8<-------------------------------------------------------->8---

My intuition says the system doesn't have the certificate for the CN
mx.google.com. If my intuition is totally wrong, feel free to stop
reading right here.

The hostname connecting to my sendmail that generated that line above is

aspmx.l.google.com

So I tried (as a guess) to connect to this host on port 25, saying
STARTTLS and fetching the certificates that came. Because sendmail is
my primary concern, I installed these certificates in /etc/mail/certs.
I was afraid that if they were outside of /etc/mail, sendmail would
refuse to read them. And if my operation were not successful in this
conservative approach, then it would be a waste of time to try to move
these cerficates outside of /etc/mail, so I did not even try that
because I did not succeed in avoiding the message ``unable to get issuer
certificate''.

I found got three certificates with the -showcerts option by OpenSSL.
They were GTS_Root_R1_2028.pem---this expires in 2028, but I already had
one for GTS Root R1 that expires in 2036---, GTS_WR2_RSA.pem and
GTS_WR2_EC.pem.

I obtained them with

openssl s_client -connect aspmx.l.google.com:25 \
-starttls smtp \
-showcerts </dev/null

I obtained the hash of each certificate with, for example,

openssl x509 -noout -hash < GTS_Root_R1_2028.pem

Then I created the symbolic links using these hash as ls shows below.

# pwd
/etc/mail/certs

# ls -l
total 88
lrwxr-xr-x 1 root wheel 20 Nov 12 08:26 1001acf7.0 -> GTS_Root_R1_2028.pem
lrwxr-xr-x 1 root wheel 10 Nov 1 14:17 382a9cdc.0 -> cacert.pem
lrwxr-xr-x 1 root wheel 15 Nov 12 08:26 3c8b39ef.0 -> GTS_WR2_RSA.pem
lrwxr-xr-x 1 root wheel 19 Nov 12 07:48 462422cf.0 -> ca-lets-encrypt.pem
lrwxr-xr-x 1 root wheel 14 Nov 12 08:26 6264a34a.0 -> GTS_WR2_EC.pem
-rw-r--r-- 1 root wheel 1566 Nov 10 07:44 ca-lets-encrypt.pem
-rw-r--r-- 1 root wheel 1318 Nov 1 14:17 cacert.pem
-rw-r--r-- 1 root wheel 1927 Nov 12 08:25 GTS_Root_R1_2028.pem
-r--r--r-- 1 root wheel 7395 Nov 12 08:25 GTS_Root_R1.pem
-rw-r--r-- 1 root wheel 2407 Nov 12 08:25 GTS_WR2_EC.pem
-rw-r--r-- 1 root wheel 1809 Nov 12 08:25 GTS_WR2_RSA.pem
-rw-r--r-- 1 root wheel 1350 Nov 1 14:17 host.cert.original
-rw-r--r-- 1 root wheel 2835 Nov 8 21:15 host.cert.pem
-rw------- 1 root wheel 1704 Nov 1 14:17 host.key.original
-rw------- 1 root wheel 241 Nov 8 21:15 host.key.pem

But that did not change those log messages. I don't know how to debug
sendmail to the point of seeing which files it is reading. Thanks for
any advice you might have.