nginx：ssl 验证失败+错误重定向

这是我当前的 nginx 配置：

$ cat /etc/nginx/sites-enabled/bitbucket

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name git.itextsupport.com bitbucket.itextsupport.com gitlab.itextsupport.com;

        return 302 https://git.itextsupport.com$request_uri;
}

server {
        listen 443 ssl default_server;

        server_name git.itextsupport.com;
        server_tokens off;
        add_header Strict-Transport-Security "max-age=31536000";

        access_log  /var/log/nginx/bitbucket_access.log;
        error_log   /var/log/nginx/bitbucket_error.log;

        ssl on;
        ssl_certificate /etc/ssl/private/ssl-itextsupport.pem;
        ssl_certificate_key /etc/ssl/private/ssl-itextsupport.key;

        location / {
                proxy_pass http://localhost:7990/;
                proxy_set_header        Host $host;
                proxy_set_header        X-Forwarded-Host $host;
                proxy_set_header        X-Forwarded-Server $host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_redirect          off;
        }
}

---

httpgit在控制台中重定向到是可以的：

$ curl -I http://git.itextsupport.com                                                                                                                                                                                                    10:09  amedee@iTextQA
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 15 Nov 2016 13:15:50 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://git.itextsupport.com/

但在 Chrome 中，它会重定向到https://gitlab.itextsupport.com/。 DevTools 打开时，浏览器缓存已被清除并禁用。欢迎提出 NUKE Chrome 重定向缓存的建议，但这不是我的问题。

上述重定向对于http://bitbucket.itextsupport.com和 也同样适用http://gitlab.itextsupport.com。再次，在 Chrome 中不起作用，但这不是我的问题。

---

下一步：测试https重定向。

$ curl -I https://bitbucket.itextsupport.com                                                                                                                                                                                                 curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

我-k按建议添加：

$ curl -I https://bitbucket.itextsupport.com -k                                                                                                                                                                                              HTTP/1.1 302 Found
Server: nginx
Date: Tue, 15 Nov 2016 13:31:56 GMT
Connection: keep-alive
X-AREQUESTID: @PT467Wx871x701860x0
X-ASEN: SEN-L8781032
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Location: https://gitlab.itextsupport.com/dashboard
Content-Language: en-US
Strict-Transport-Security: max-age=31536000

我的两个问题：

1. SSL 验证为何失败？我已验证/etc/ssl/private/ssl-itextsupport.{pem,key}，它们与托管公司提供的文件完全相同，并且已在其他支持 https 的服务器上使用。它在控制台和浏览器中失败。
2. 为什么 https 会重定向到gitlab子域而不是git子域？我 grep 了整个服务器，但找不到任何可能导致此问题的相关 nginx 配置。