Server-mode SSL ignores CA cert

[dos1]

When I tried to use Let's Encrypt certificate instead of self-signed one with server-mode XMPP frontend, I couldn't get the clients to properly verify the cert.

Turns out the certificate chain as presented by Spectrum is incomplete and contains only the server cert, while it should also present the CA cert if present in the pkcs12, so the intermediate certificate can be verified against the root certs.

Cert on Spectrum's server that fails verification:

CONNECTED(00000003)
depth=0 CN = redacted.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = redacted.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=redacted.domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---

Cert on ejabberd, verified correctly:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = redacted.domain.com
verify return:1
---
Certificate chain
 0 s:/CN=redacted.domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---