OpenSSL：根据 OS X 10.11.6 El Capitan 上返回"unable to get issuer certificate"的 CRL 验证证书

我正在使用以下脚本来验证OS X 10.11.6 El Capitan上的CRL证书。

host=wikipedia.org
port=443
openssl s_client -connect $host:$port 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > $host.pem
crlurl=$(openssl x509 -noout -text -in $host.pem | grep -A 4 'X509v3 CRL Distribution Points' | grep URI |  grep -Eo '(http|https)://[^"]+')
curl $crlurl -o $host.crl.der
openssl crl -inform DER -in $host.crl.der -outform PEM -out $host.crl.pem
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect "$host":"$port" -showcerts -tlsextdebug -tls1 2>&1 </dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | sed 's/-----BEGIN/:-----BEGIN/g'); for certificate in ${certificates#:}; do echo $certificate | tee -a $host.chain.pem ; done; IFS=$OLDIFS
cat $host.chain.pem $host.crl.pem > $host.crl_chain.pem
openssl verify -crl_check -CAfile $host.crl_chain.pem $host.pem

它在Ubuntu上工作正常，但是在尝试在OS X上运行时会丢下以下错误。

wikipedia.org.pem: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
error 2 at 1 depth lookup:unable to get issuer certificate

连接wikipedia.org与s_client返回：

Verify return code: 20 (unable to get local issuer certificate)

lib/security/cacerts    

$(/usr/libexec/java_home)/jre/lib/security/cacerts

openssl s_client -showcerts -servername wikipedia.org -connect wikipedia.org:443