SSL and Apache: GeoTrust CryptoReport says “OK”, but openssl says “unable to get local issuer certificate”

This actually applies to a bunch of other services we use this same certificate for, but the way Apache does this is the most obvious and contradictory when you compare the test results.

We have a wildcard certificate on our website at https://webmail.lightspeed.ca. Web browsers give our clients a green lock, GeoTrust's CryptoReport at https://cryptoreport.geotrust.com/checker/ tells me that our certificate is installed correctly. Yet when I try to use openssl s_client -connect webmail.lightspeed.ca:443, I get the error Verify return code: 20 (unable to get local issuer certificate)

This is what our Apache configuration looks like for SSL:

SSLEngine on
SSLCertificateFile /mailhome/webmail.lightspeed.ca/ssl.cert
SSLCertificateKeyFile /mailhome/webmail.lightspeed.ca/ssl.key
SSLCACertificateFile /etc/ssl/certs/GeoTrust_DV_SSL_CA-G3.pem

While I understand that the connection is being encrypted, evidently this error message also means that I'm not being fully verified as who I say I am. This is problematic when we apply these same certificates to say, our SMTP or POP server, as some clients (like Outlook for Android) are really anal about this stuff. The test at http://www.checktls.com/perl/TestReceiver.pl doesn't like this, for example, and we get the error Cert NOT VALIDATED: unable to get local issuer certificate. I find that really weird, because the file GeoTrust_DV_SSL_CA-G3.pem is our intermediate CA certificate. And it's Geotrust's CA for our particular kind of wildcard cert.

This has been nothing but a source of aggravation for me. Your help would be greatly appreciated.