Root certificates issued by CAs are just self-signed certificates (which may in turn be used to issue intermediate CA certificates). They have not much special about them, except that they've managed to be imported by default in many browsers or OS trust anchors.
While browsers and some tools are configured to look for the trusted CA certificates (some of which may be self-signed) in location by default, as far as I'm aware the openssl
command isn't.
As such, any server that presents the full chain of certificate, from its end-entity certificate (the server's certificate) to the root CA certificate (possibly with intermediate CA certificates) will have a self-signed certificate in the chain: the root CA.
openssl s_client -connect myweb.com:443 -showcerts
doesn't have any particular reason to trust Verisign's root CA certificate, and because it's self-signed you'll get "self signed certificate in certificate chain".
If your system has a location with a bundle of certificates trusted by default (I think /etc/pki/tls/certs
on RedHat/Fedora and /etc/ssl/certs
on Ubuntu/Debian), you can configure OpenSSL to use them as trust anchors, for example like this:
openssl s_client -connect myweb.com:443 -showcerts -CApath /etc/ssl/certs