Certbot: Trusted; were unable to verify this certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wave2.enkrott.com

I ran this command: SSL test

It produced this output:

My web server is (include version): Grafana 9.4.3

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Estoy chequeando el servidor ssl y en la pagina https://decoder.link/sslchecker/wave2.enkrott.com/443
me da 2 errores en el report.
1.- Trusted: incapaz de verificar el certificado
2.- The chain no contiene ningun certificado intermedio..
¿por que ocurre? ¿como lo puedo solucionar?

Gracias

Which certificate files did you use?

Here SSL Server Test: wave2.enkrott.com (Powered by Qualys SSL Labs) is showing
Chain issues Incomplete

This is what is being served for the certificate

$ openssl s_client -showcerts -servername wave2.enkrott.com -connect wave2.enkrott.com:443 < /dev/null
CONNECTED(00000003)
depth=0 CN = wave2.enkrott.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = wave2.enkrott.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = wave2.enkrott.com
verify return:1
---
Certificate chain
 0 s:CN = wave2.enkrott.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr 11 15:35:01 2023 GMT; NotAfter: Jul 10 15:35:00 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgISBCiHhOzPLCDYpGks2KIRndHeMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA0MTExNTM1MDFaFw0yMzA3MTAxNTM1MDBaMBwxGjAYBgNVBAMT
EXdhdmUyLmVua3JvdHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA1FvHzWdeKPOVi79a/Tgmzg7ug4vws6mhLrLknajyrAYPzHVRq5Fhssyp8xOT
fKKJcgrT4uj4I1BAhT5DzrnpaEImTOPN/QA/T3DaOJ9pndfHAL3ZieK0I76BcGiH
gYmpv3YEkW81rLgQEZauSSPdirjdIT3Er2fZxL7R9gLebRq3zlPuBCUZt5Xz6KoW
q20TWeizTjJAMWeuH+Sh6/6zxTeByhUkIiDFqX3SuXsbm68Q0uTPIgjO1i1/C8Qx
xnNmlxAba6ezcszzqz4wte3RBMpocQMq7+IYORSrlKY1GHVTuVgIlMY06sk305MD
sCjYQC7LQ7fAUK/EiSgDwQvCDQIDAQABo4ICSzCCAkcwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBSqtk8/S/sX+gfgi0PYF5qQcgbJkzAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghF3YXZlMi5lbmtyb3R0LmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2ALc++yTf
nE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABh3ErstUAAAQDAEcwRQIgRyBO
SfKEFTLUj+HxOtyUzlPhpy1UGXDV3wGljbHCEW0CIQCA13XGqojJHD7OIaabdrpB
X7gXmrp99y0HBCQVQe7K+wB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlej
UutSAAABh3ErsuYAAAQDAEYwRAIgEU2Fb0L+flC0EMzm1nyt0w1dv3iLKjLAAlcb
cAJXtg8CIGIvUK4XpYV2EGLkg15q6mWR1dJZFyCIj3iTu+JMqTX2MA0GCSqGSIb3
DQEBCwUAA4IBAQAROUfq+BXtWiG+yrcopNsUGcJPdWuNdBylhIU+Mi6Da8nuVGvb
Srdr9rOhDfoGcNJiTvknIuJ+++Q+TmAX9LS7VnfDJljnJe2HWGmPX7SWNRkeDYHC
FXPbNiNLWm+CLPU6xFWInd3ji1Shv3AGDV0We2CxCZTbGsSHZXv5q4sDTxlHCOI2
iDwWACgDA5WZ7hYxlnt0ACa0MsnznN+1+4X4YtJxODJoyhrxpdyIkR9RCkIga4V/
C5o9s5eeF+b6v0hKZjtccmxRGGD+cnV5Sbhz2YCeAd1hxbygwBXxfJgMfVuC7cXq
57t6rg+xjwlQ4L0aWhhx3H5xdMua0k0tAAiN
-----END CERTIFICATE-----
---
Server certificate
subject=CN = wave2.enkrott.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1863 bytes and written 383 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: D5527036AA90A88D799660356F1A01E1419EC8577DD010A7DC33E8FB58AC6EF6
    Session-ID-ctx:
    Resumption PSK: 1F9CB805926D00BB6356B822A085281FCFAE968AA917C7CB2093741F4526DDEB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - f8 7b e5 ce 2e 9d 6b 11-93 68 d2 11 4a 50 04 83   .{....k..h..JP..
    0010 - 86 c8 8e 9d 6e 0b 83 ea-81 ab 42 f6 fe 9f 70 d0   ....n.....B...p.
    0020 - a0 0d 6b 39 d3 c0 15 63-04 54 34 55 45 7d 4f 6e   ..k9...c.T4UE}On
    0030 - fc 09 1d ce 9e b6 f9 f0-6a be 35 08 c9 44 c7 15   ........j.5..D..
    0040 - 99 c5 a4 a6 ad 17 96 19-b8 66 6c b4 b8 af 11 5b   .........fl....[
    0050 - 19 b4 4d f8 06 d3 2b 1a-54 36 df 42 74 b0 bc 2b   ..M...+.T6.Bt..+
    0060 - ad 96 70 85 c3 92 71 22-74 d2 4a da c0 01 2f fd   ..p...q"t.J.../.
    0070 - ee                                                .

    Start Time: 1684348267
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE

See Verifying a certificate - #5 by jsha
I my opinion, in most cases client applications do not follow the proper methods shown there.
You can find information here Long (default) and Short (alternate) Certificate Chains Explained

In configuration of Grafana

try using the file name fullchain.pem instead of cert.pem

Witth this change, it has been fixed
Thanks