Wow! So many questions
I am happy to see that I am not alone on this one =)
Sorry for taking so long to reply. I will try to be of any help.
@jrf: I don't have issues on my Android phone:
I have no iPhone to test with.
I don't seem to have any chain issues like @szw has. Check for your self here: https://www.ssllabs.com/ssltest/analyze.html?d=melo.myds.me
But the SSL Labs output is diffent than in @szw's case:
Additional Certificates (if supplied)
Certificates provided 2 (2497 bytes)
Chain issues None
Please note! This SSL Labs output is from my webserver and not from my Tomcat, since I do not run my Tomcat on 443 and thus I can't test it with SSL Labs. I have no URL on 443 redirecting to 8443.
My JKS has two entries:
keytool -list -keystore MyDSKeyStore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
root, Nov 13, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): XX
tomcat, Nov 13, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): YY
As in @galactoise case one entry by the alias of root is for Let's Encrypt and issued by DST Root CA X3 and the other entry by the alias of tomcat is for my domain and issued by Let's Encrypt.
The AuthorityKeyIdentifier in my PrivateKeyEntry matches the SubjectKeyIdentifier of Let's Encrypt's trustedCertEntry, as is to be expected, since LE issued/validated my cert.
I am very sure that I am not forgetting any steps, because I documented the steps at the time of execution, since I was (and I am still) thinking about writing a blog post about this.
You create a PKCS12 that contains both your cert and the private key
You convert that PKCS12 to a JKS
And you finally add the chain to it as trusted CA certificate
I did not come up with the solution all on my own. It is based on what I learned from here: http://stackoverflow.com/a/8224863
(FYI: This site here is also quite convenient and worth a bookmark: http://shib.kuleuven.be/docs/ssl_commands.shtml)
I believe the connector configuration is critical, so please check it twice and make sure you provide the keyAlias with the alias you used for your JKS's PrivateKeyEntry (in my case this is "tomcat").
@galactoise: I did run openssl s_client -connect melo.myds.me:8443 like you did but I am not sure if this command is really helping to debug your problem. I also have negative output with that command but am not really sure what to do with it.
melo@melo-desktop:~$ openssl s_client -connect melo.myds.me:8443
depth=0 CN = melo.myds.me
verify error:num=20:unable to get local issuer certificate
depth=0 CN = melo.myds.me
verify error:num=21:unable to verify the first certificate
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 1825 bytes and written 481 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA256
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1449402375
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
Hope to be of any help with this and wish you good luck =)