Unable to load certificate chain

Hi all, I got called into a setup where the SSL cert will expire tonight and OPNsense / HAProxy and gets stuck with the error below whenever the cert is assigned to a virtual service:

ALERT] (6741) : parsing [/usr/local/etc/haproxy.conf.staging:72] : 'bind' : 'crt-list' : unable to load certificate chain from file '/tmp/haproxy/ssl/64087d98063ba.pem'.

What I got with the purchase of the certificate is the actual certificate.crt and an intermediate.crt
Which allowed me to create a pem file holding the certificate and the private key

Now first problem was that for some reason HAProxy didn’t seem to like the attributes at the beginning of the private key, complained with no private key found or something similar

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,6F76BEAA695D14CC99B0165C4CC95655

After deleting those the private key error went away and I got to the unable to load certificate chain error.
So I assume it’s now down to the values I put into the Certificate data field in OPNsense. I tried

– CA –
– Intermediate –


– Intermediate –

None would work, is there any way for me find out what is actually missing, or where I might have the wrong certificate?
And can someone confirm that what I need is indeed CA / Intermediate, in that order?
I had to download the CA file from the actual CAs website (Certum) and might have picked the wrong CA file?
Any help is truly appreciated.


Edit: I meanwhile received a file from the vendor which includes Certum intermediates and root.
Means I now have
— Intermediate —
— Intermediate —
— Root —
— My certificate —

…and I still get the same error.
Should I be able to test this with openssl?
Because when I do I get an error as well:

openssl verify -verbose Certum_BUNDLE-INTERMEDIATES-ROOT.crt ciphermail_keys1_without_bag.pem
CN = *.mydomain.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error ciphermail_keys1_without_bag.pem: verification failed

The ciphermail_keys1_without_bag contains my certificate and private key