Hi all. I have to apologize! I provided you with wrong directions… 
Thanks to @galactoise for pointing out the use of openssl s_client to test.
I noticed a difference between
openssl s_client -connect melo.myds.me:443
and
openssl s_client -connect melo.myds.me:8443
The webserver did serve everything correctly, so the output was like
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
verify return:1
depth=0 CN = melo.myds.me
verify return:1
---
Certificate chain
0 s:/CN=melo.myds.me
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
However tomcat on port 8443 returned the same issue @galactoise encountered:
CONNECTED(00000003)
depth=0 CN = melo.myds.me
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = melo.myds.me
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=melo.myds.me
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
---
Then it came to me: What if the JKS contained only one entry that represents the whole chain?
So here is what I did:
-
create a PKCS12 that contains both your full chain and the private key, which for me looked like this:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out fullchain_and_key.p12 -name tomcat -
convert that PKCS12 to a JKS, which looks like this:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias tomcat
I replaced the old JKS with this one, restarted tomcat and now I get a successful connection with openssl s_client -connect melo.myds.me:8443
@galactoise Sorry for wasting your time by providing wrong directions. Can you give it a try with the fullchain and tell us if this works correctly for you?