> openssl s_client -connect jira.example.net:8443 -CApath /etc/ssl/certs/ Та же ошибка
$ openssl s_client -connect jira.example.net:8443 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=0 C = UA, CN = jira.example.net, emailAddress = webmaster@example.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = UA, CN = jira.example.net, emailAddress = webmaster@example.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = UA, CN = jira.example.net, emailAddress = webmaster@example.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
...
...
...
subject=/C=UA/CN=jira.example.net/emailAddress=webmaster@example.net
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 2644 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 558A79F79BD40FD46CC269070BDCD945723DD3ADBD95F3CD630CB907736F5BCF
Session-ID-ctx:
Master-Key: 098376A226B8CFDEE25E006435C7939754E4CD9C9FAA453228D4B8C3764C179983843DBD257144069E1C7B03969F132B
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1435138551
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Если пускать через апач, то таких проблем нет, даже без указания -CApath
$ openssl s_client -connect jira.example.net:443
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 C = UA, CN = jira.example.net, emailAddress = webmaster@example.net
verify return:1
---