The problem is that you copied a precertificate, not a final certificate. Because of Certificate Transparency requirements enforced by current browsers, CAs currently issue certificates in multiple stages:
-
First the CA generates and signs a precertificate, which contains a “CT Precertificate Poison” extension marked critical. This extension intentionally makes the precertificate unusable.
-
The CA submits the precertificate to several CT logs (currently the minimum requirements are 1 Google log and 1 non-Google log) and obtains Signed Certificate Timestamps (SCTs) from those logs.
-
The CA generates and signs the final certificate, which contains the non-critical “CT Precertificate SCTs” extension instead of the critical “CT Precertificate Poison” extension. This certificate can be used for the intended purpose, unlike the precertificate.
-
Finally, the CA may submit the final certificate to CT logs (technically this is not required, because the precertificate is already there, but good CAs usually do this).
To solve your problem, you need to remove the syncpilot-test.xitrust.com-crt.pem file (which actually contains a precertificate) from your web server configuration, and just use syncpilot-test.xitrust.com-chain.pem (this file contains both the server certificate and the required intermediate certificate). With Apache 2.4 you need to use
SSLCertificateFile /path/to/syncpilot-test.xitrust.com-chain.pem
SSLCertificateKeyFile /path/to/syncpilot-test.xitrust.com-key.pem
and omit SSLCertificateChainFile (which is documented as obsolete).