Obtain the signed certificate from the Certificate Authority (CA). You might also receive a certificate
trust chain if the CA did not directly sign the certificate. The certificate trust chain might be provided
as a separate file or it might be concatenated directly onto the signed certificate.
If the signed certificate is not in a PEM-encoded format, reencode the certificate in the PEM format
openssl x509 –in input.der –inform DER –out output.pem –outform PEM
I've read through the win-acme issue tracker, and it seems like fqdn-chain.pem is the equivalent of fullchain.pem.
It should contain your leaf certificate as the first certificate, and the intermediate certificate as the second certificate.
That could be because the Windows certificate tool is automatically finding a path from the intermediate in the file to the root which is pre-installed on your computer. That is, after all, the point in intermediates and roots .
I would try using the -chain.pem file in your server software.