I am testing out two-way SSL and I have configured a Root CA, Intermediate CA and created a server and client certificates which are signed by Intermediate CA.

This is my configuration file
------------------------------------------------------------------
server {
listen 443;
server_name server.test.com;
ssl on;

# App Cert plus Intermediate CA Cert
ssl_certificate /root/ca/intermediate/certs/server_plus_intermediate.chain.pem;

# Application Key
ssl_certificate_key /root/ca/intermediate/private/server.test.com.key.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

error_log /var/log/nginx/massl.log debug;

ssl_client_certificate /root/ca/certs/ca.cert.pem;
ssl_verify_client on;

location / {
root /usr/share/nginx/massl;
index index.html index.htm;
}
}
------------------------------------------------------------------

If I use the above config and pass the client certificate (also signed by the same Intermediate CA) and key in curl or openssl s_client, I get below error in /var/log/nginx/massl.log

2017/09/25 21:49:15 [info] 94#94: *9 client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 1.6.0.30, server: server.test.com, request: "GET / HTTP/1.0", host: "server.test.com"

I don't have any certificate error in 'openssl s_client' log. Here is the short and debug log https://gist.github.com/vikas027/6c2225c34bb705d83df3547ac9f7467a

I understand that I am missing Intermediate CA certificate in client chain, but I am not sure how to pass it. I have tried it adding intermediate CA in 'ssl_client_certificate' parameter in vain.

Additionally, everything works fine if I use certificate (and corresponding key) of RootCA and Intermediate CA..