Having trouble with certificate chain (Let's Encrypt, missing R3)

Hi all, I could use some advice.

I have been running older versions of Jitsi on Debian 8, 9 and 10 for years. Now I updated to Deb 11 and was required to fully uninstall and re-install Jitsi to make it work again.

One problem remains, though: When some users connect, they’re told that the certs are invalid, apparently because the R3 cert is missing, as shown here: SSL Labs for jitsi subdomain on tempel org

Now, the server (apache2) uses the SAME certs for its other subdomains (e.g. h1) as I use in the /etc/prosody config. Yet, checking h1.tempel.org does NOT complain about an incomplete chain.

So, the prosody setup needs told something else that Apache does automatically, it seems.

The command prosodyctl check certs reports no issues.

I also searched the web for such an issue and found nothing. I’d think that this is a basic config issue, but I seem to be unique with this. Odd. I hope someone has a clue what I could be doing wrong, anyway.

All I know that DST Root CA X3, which was used by R3, got revoked last year. But why is my h1 subdomain still working with it, then, but jitsi not, even though SSL Labs shows that both use the very same certificate for the two subdomains?

Maybe my Letsencrypt certs need a refresh that unlinks something outdated? But I have auto-update for my certs working, so they should be fine, right?

I’ve found the issue after reading https://prosody.im/doc/certificates:

I had configured my webserver to deliver the “cert.pem” for SSL connections. That was incorrect. I had to change it to deliver the “fullchain.pem” instead. (And the other sites server by Apache also used that fullchain.cert file, and that’s why it worked there)