How to configure the SSL chain?

We are self-hosting gitea with a (not self signed) x509 certificate for https encryption.
The website works fine in a webbrowser, without needing to install a certificate or CA. The root of the CA tree is included in Linux /etc/ssl/certs/ca-certificates.crt.

However, when trying to run ‘git clone https://’, it fails with ‘fatal: unable to access : server certificate verification failed. CAfile: none CRLfile: none’

After some research, this is apparently due to the fact that we are only serving the certificate, not the chain including intermediaries. This is verified by testing with e.g. ‘’. However, if I replace the cert.pem in the gitea configuration with ‘chain.pem’, gitea fails to start webserver, with the message ‘tls: private key does not match public key’. I’ve verified that the certificate itself, at the end of chain.pem, is exactly the same as the contents of ‘cert.pem’.

How do I get gitea to properly serve the full certificate chain (without root certificate)? It seems that this is needed for better browser support, and ‘git clone’ from the command line.