CentOS 7 has the optional X509_V_FLAG_TRUSTED_FIRST feature present in openssl 1.0.2 (exposed as -trusted_first flag for the openssl command line tools) but not enabled by default. Your application needs to enable it explicitly.
CentOS 8 with openssl 1.1.1 has it enabled by default.