How to config the keystore of Nginx mutual SSL?

I want to config my Nginx to use mutual SSL to verify clients connecting to my server. So I have the following setup in my nginx conf:

access_log   /var/www/logs/app.nginx-access.log;
error_log    /var/www/logs/app.nginx-error.log info;

# SSL config
ssl                  on;
ssl_session_cache    shared:SSL:5m;
ssl_session_timeout  10m;
ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers  on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/domain-name.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain-name.com/privkey.pem; # managed by Certbot

#setting for mutual ssl with client
ssl_client_certificate /etc/nginx/ssl/clients.crt;
ssl_verify_client on;
ssl_verify_depth 10;

I then appended a test client certificate (.crt file) in the clients.crt and restarted the nginx server to test. When I connected with curl cmd using my full-chained pem (with two intermediate CA hosts inside), the nginx error log recorded:

2020/10/28 09:32:51 [info] 15940#15940: *7 client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request headers, client: 172.104.96.232, server: ...

I searched a bit and realised the openssl could not verify the chained-cert file all the way back to its root CA. I am using ubunbu v16 and see a bunch of root CAs are already specified in /etc/ssl/certs folder.

My question is how could I specify Nginx/openssl to look into this directory and find an appropriate root CA to verify?

Thank you!