Intermediate Certificate not being used

[robinmordasiewicz]

AKS 1.30
Fortiweb 7.6
Ingress 2.0.1
My tls secret is successfully created and has the intermediate concatenated with the signed certificate. The ingress controller creates the TLS certificate on the fortiweb but the intermediate certificate is not included in the SSL negotiation.
I have logs showing fortiweb ingress controller successfully uploading the config including certificates+intermediate. The following openssl command shows that the intermediate is not including in the response. If I manually add the intermediate using the UI and associating the cert-group to the server policy then it works. I also tried adding an annotation "server-policy-intermediate-certificate-group: letsencrypt-ca-group" but it seems these annotations are not implemented.

openssl s_client -connect docs.robinmordasiewicz.amerintlxperts.com:443 -showcerts
Connecting to 64:ff9b::acae:39c5
CONNECTED(00000005)
depth=0 CN=docs.robinmordasiewicz.amerintlxperts.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=docs.robinmordasiewicz.amerintlxperts.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=docs.robinmordasiewicz.amerintlxperts.com
verify return:1

---

Certificate chain
0 s:CN=docs.robinmordasiewicz.amerintlxperts.com
i:C=US, O=Let's Encrypt, CN=R10
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 4 12:35:53 2024 GMT; NotAfter: Mar 4 12:35:52 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISBLbPzK/Gq9SRrtBfQjLhruByMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQxMjA0MTIzNTUzWhcNMjUwMzA0MTIzNTUyWjA0MTIwMAYDVQQD
Eylkb2NzLnJvYmlubW9yZGFzaWV3aWN6LmFtZXJpbnRseHBlcnRzLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANRPV/1GdLM6/FbNJD2SCyw7d+x0
1FLsaOU35GrihuauHQxIu/zjiR9rpkHWfWWGefgQnEalKn7tgUEIwR+s0YOXFMYv
ZrhxTpZwgdKCDNiEHqmYj9wchOa0x6uL3pVqadrshiTLpf7bC6ubm03Z7AqoJXKy
zH25JRVpWxGZO2C/VkVyFRKHg3VF52SMY59+unRyYPQMBSlB3ApJjuc79lLGooGB
VQSqTtJkEqQf2isl/cR/uZGLlUuXKohjESzot19XiagtQ2U6UERUUeKUUZjdIrMh
Ve+zvJ+mhF53/WvLRviBpoOCp3PBJwnSTnECt5Eyr7IJONw58NQe09q3T40CAwEA
AaOCAi0wggIpMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUwXpN1A1hn1+ae67ZQWWn
mzE2RdswHwYDVR0jBBgwFoAUu7zDR6XkvKnGw6RyDBCNojXhyOgwVwYIKwYBBQUH
AQEESzBJMCIGCCsGAQUFBzABhhZodHRwOi8vcjEwLm8ubGVuY3Iub3JnMCMGCCsG
AQUFBzAChhdodHRwOi8vcjEwLmkubGVuY3Iub3JnLzA0BgNVHREELTArgilkb2Nz
LnJvYmlubW9yZGFzaWV3aWN6LmFtZXJpbnRseHBlcnRzLmNvbTATBgNVHSAEDDAK
MAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1AKLjCuRF772tm344
7Udnd1PXgluElNcrXhssxLlQpEfnAAABk5HhBaAAAAQDAEYwRAIgITgvqWJMYZXA
zTKBKKNgQSqlfsxTXJ+7gGs88IVD6FoCIDM9nUDH0HIOR+eVGSpORJlCixTHgauV
yHNPMnLkSCh1AHcAzxFW7tUufK/zh1vZaS6b6RpxZ0qwF+ysAdJbd87MOwgAAAGT
keEF1wAABAMASDBGAiEAxvStWSBGPddolTIWzrOJ7ZAieFGtzdrRRR+kOdVzQgEC
IQDkhK7ylsYpOmUwBoXPTtkZiksesZ67Vg89L6KZGUYpxTANBgkqhkiG9w0BAQsF
AAOCAQEATovo0/B48UybEReQV5DKOkfA4nOehYXlBrwr0M27rsIBvdSfwdajamZx
qg3f234hadgMv3brnCeNAOBn3uv7/vtX2Y+HtOeTlbH+xfv8LSbOGgClRb18iQWt
zfTmOk8awX6NELrFXx1yNVPqaRFR6UdVqKsdzeGOYymJ9P3PIxEoHapAHoWmkkJe
aPoDjeatIkIKdZPnDo5JRs/3qax7peiRi6beeIlSemqlLb5FOYIe4PV7GZqcr9F6
X9gI8wjIjsulvEaAAW1O2Xh1PMtdT39Rk7NwsXYqXwPyK2JucYZ7b68UTdLZW4Aw
5iBP1t2LVuRQ5arIRyILZzHqRslZ2w==
-----END CERTIFICATE-----

Server certificate
subject=CN=docs.robinmordasiewicz.amerintlxperts.com
issuer=C=US, O=Let's Encrypt, CN=R10

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 2011 bytes and written 445 bytes
Verification error: unable to verify the first certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 149D46F888DC50EF7336A1580ED1E267D5EDBF68052DFE43382E1F6EF65BAD30
Session-ID-ctx:
Master-Key: 2F7F9F34B6D5BD877764D874F9C69670EEE4CFE4008881D4A20A7AC69C6453E9EE72EAA24EB979445BF50C45B201C356
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - e0 d0 ff d2 61 2f 1d 1c-e0 fa 18 32 49 5e c6 d2 ....a/.....2I^..
0010 - 28 78 f9 d3 cc e4 9f db-9c 97 f4 1c d3 ed 2d 86 (x............-.
0020 - a0 ec 1d 90 f6 1e c8 cf-13 a0 4c 3b 22 be 17 1d ..........L;"...
0030 - a0 fb 9c 08 3e 62 bd 99-33 77 5e b9 f8 55 00 b0 ....>b..3w^..U..
0040 - f6 9d f0 9e cf 0a a6 2d-ca 2b 83 c4 db aa fe 10 .......-.+......
0050 - 3f 12 be c7 0d 3c 0f 8a-96 72 a5 ef 89 17 35 51 ?....<...r....5Q
0060 - 05 9a c6 a8 4b 99 4c 6c-e8 82 47 2c 99 3a f3 42 ....K.Ll..G,.:.B
0070 - 2b bd 98 fb 83 59 f2 d0-4e 33 80 88 1f 45 f3 0b +....Y..N3...E..
0080 - d1 6c 2c 48 ba 15 35 9c-50 e3 fc c0 8b c5 d6 ab .l,H..5.P.......
0090 - a2 ef b9 ad a2 e9 16 2b-e4 4b 87 4b d8 50 ae 83 .......+.K.K.P..
00a0 - f2 69 41 aa c7 99 59 4b-77 2f 0c f3 20 5a 52 4a .iA...YKw/.. ZRJ
00b0 - f8 2e 15 97 6f 10 06 7a-f7 55 79 1f 99 83 5b ba ....o..z.Uy...[.
00c0 - f5 f2 72 a5 23 5b ba 19-23 ae f9 40 fe cc 8d 5b ..r.#[..#..@...[
00d0 - 4a bd 20 a2 58 75 0b 22-ef 6b 52 9e 3a 3a d8 52 J. .Xu.".kR.::.R

Start Time: 1733319607
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes

---