certificate checks do not detect intermediate CA expiration

I have discovered it is possible for both the CA and the Server Cert to be valid and pass checks, but an intermediate cert to be expired causing the chain of trust to be broken.

$ date
Fri Aug 21 14:15:10 UTC 2020

Here is a simple failure to pull versions for the keystone API:
$ curl --cacert $OS_CACERT https://keystone.mysite.com:5000/v3
curl: (60) SSL certificate problem: certificate has expired

If I inspect both the CA and the server certs, they're both valid during above noted date:
$ openssl x509 -in $OS_CACERT -noout -enddate
notAfter=Dec 31 23:59:59 2030 GMT
$ juju config keystone ssl_ca | base64 -d | openssl x509 -noout -enddate
notAfter=Dec 31 23:59:59 2030 GMT
$ juju config keystone ssl_cert | base64 -d | openssl x509 -noout -enddate
notAfter=Jun 23 23:59:59 2021 GMT

This command returns the specific error to STDERR showing the intermediate cert being expired:

$ echo / |openssl s_client -showcerts -servername keystone.mysite.com -connect keystone.mysite.com:5000 -CAfile $OS_CACERT > /dev/null
depth=3 C = CTRY, O = SOME_ORG, OU = SOME OU OR ANOTHER, CN = SOME External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
DONE

Unfortunately, when I start walking the certs up the issuer path, I'm only able to find certs expiring well into 2028 and later, so I'm not sure where this intermediate cert that's expired is coming from, unless it's flowing through a proxy.