Thank you for your insights!
Decoding your X.509 certificate, pulling the AIA out of it, then fetching the URL shown, and converting the results (which will be binary Distinguished Encoding of the certificate not the PEM files you're likely used to) is a bunch of work, but it is certainly possible, if the sensible "Just get the fullchain file" option doesn't work out.
This sounds like a lot of fun unfortunately I'll not be able to justify doing this, since 1. it's probably best to first ask support if they can change the system or tell me how to get correct fullchain.pem from them and 2. now that I understand the underlying issues and the solutions, it won't be hard for me to solve a similar issue in the future. This server is not business critical, it supports my hobby project - a twitch extension, so occasional downtime is not a deal-breaker. Still, I'm glad to learn more about the internal workings
As an earlier poster suggested, the 'ca' option passed to your Express setup is incorrect. This option controls which CAs you want Express to trust, and the defaults are going to be fine for you. In fact chances are you don't care what Express trusts, as this only makes sense for Mutual authenticated TLS where both servers and clients have certificates to identify them. You ought to be passing your entire chain to the 'cert' option as one string. If you have two strings (representing the leaf certificate and then one or more intermediates) you should be able to concatenate them to produce a valid chain.
So essentially you're saying that the fact that the setup works with the intermediate in
ca parameter is probably a side effect of Express's or node's internal workings - e.g. if it knows the intermediate certificate which was used to sign the leaf cert in
certs but which is not provided there, it fills in the chain automatically, i.e. behaving as if I provided the proper certificate chain myself. Or something along those lines.
In any case, what you suggested works!
cert: fs.readFileSync(publicKeyPath) + '\n' + fs.readFileSync(intermediateKeyPath),
I remember a year ago, when I was setting the cert up for the first time, it felt very daunting and disorienting since it was hard for me to find relevant resources (if my hosting provided the fullchain.pem right away, probably none of this would have been an issue - also most likely the reason why I struggled in the first place to make it work). Still, I'm curious to learn more about this topic, would you recommend some resources to me please? A book/youtube series/online wiki, where this topic is covered at an introductory/intermediate level?