Hello @rexamillion,
The first thing I would check is the reason why your Apache web server is not sending the intermediate certs, only the leaf certificate:
$ echo | openssl s_client -connect taimaka-internal.org:40 -servername taimaka-internal.org 2>/dev/null | grep -E -A1 '^\ [0-9]?\ s:'
0 s:CN = taimaka-internal.org
i:C = US, O = Let's Encrypt, CN = R3
And in your case, you used --preferred-chain "DST Root CA X3" (not needed because this is the default chain) and the output of above command should look like:
0 s:CN = taimaka-internal.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
So, I would recheck the Apache conf because the part where you define the paths to your cert and key should look like this:
SSLCertificateFile /etc/letsencrypt/live/taimaka-internal.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/taimaka-internal.org/privkey.pem
or if you are using Apache version previous to 2.4.8 like this:
SSLCertificateFile /etc/letsencrypt/live/taimaka-internal.org/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/taimaka-internal.org/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/taimaka-internal.org/privkey.pem
Hope this helps.
Cheers,
sahsanu