"unable to get local issuer certificate" is the expected error from OpenSSL when an intermediate is missing. Curl/OpenSSL does not download intermediates on the fly as browsers sometimes do.
Yes. Ideally you'd want to keep both separated, but some stupid services like lighttpd require this unfortunately. By using fullchain.pem instead of cert.pem you'll instruct lighttpd to also serve the intermediate certs.
Scratch that, lighttpd can also use a separate file:
ssl.pemfile = "/path/to/fullchain.pem" # public cert and intermediate cert chain, if any
ssl.privkey = "/path/to/privkey.pem"
Please use the above with the existing files instead of combining them 
See Docs SSL - Lighttpd - lighty labs for more info.