@csbubbles, this is the most common post-issuance problem (dozens of other people have had the same trouble), so I wonder where we could best explain this to people.
If (in Certbot) you’re using Apache and you use the Apache installer, it automatically sets the correct chain file. If you used certonly, the “Congratulations!” message should have pointed you to fullchain.pem instead of cert.pem. So, I’m wondering where users are getting the idea of just using cert.pem without chain.pem. Is it just the filename? Is there some of our documentation that refers to the cert without also mentioning the chain? Is there a clear place where our messages could be improved?