GitLab serves certificate list of 1 certificates

I'm trying to run GitLab's omnibus installer and use my organization's SSL certificate, but SSL clients complain that the certificate issuer is unknown. How am I supposed to configure intermediate certificates in the trust chain?

My set up starts with running the latest version of GitLab, exposing ports for HTTPS and HTTP, among others:

sudo docker run --detach --hostname myserver.myorg.org --publish 1443:443 --publish 1080:80 \
--publish 2222:22 --publish 5005:5005 --name gitlab1 \
--volume /srv/gitlab/config:/etc/gitlab \
--volume /srv/gitlab/logs:/var/log/gitlab \
--volume /srv/gitlab/data:/var/opt/gitlab gitlab/gitlab-ce:14.2.3-ce.0

That creates a bunch of default configuration in /srv/gitlab/config, so I go and set the server's URL in gitlab.rb:

external_url 'https://myserver.myorg.org'

I received a certificate file and key file from my organization, so I copy them to the /srv/gitlab/config/ssl directory as myserver.myorg.org.crt and myserver.myorg.org.key. Then I reconfigure the GitLab server:

sudo docker exec -it gitlab1 bash -c "gitlab-ctl reconfigure"

Now I try to validate the SSL configuration:

echo | gnutls-cli -p1443 myserver.myorg.org

I get a bunch of errors in the output, including these:

...
Processed 129 CA certificate(s).
Resolving 'myserver.myorg.org:1443'...
Connecting to '127.0.0.1:1443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
...
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

That looks like I don't have the complete trust chain. The issuer for our organization's certificate is "CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US". I found their certificates on their website, and downloaded that specific one:

wget https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem

I extracted the text version of the certificate:

openssl x509 -in DigiCertTLSRSASHA2562020CA1-1.crt.pem -text
...
-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
...
A7sKPPcw7+uvTPyLNhBzPvOk
-----END CERTIFICATE-----

I appended that to my organization's certificate in /srv/gitlab/config/ssl/myserver.myorg.org.crt so now it has the organization's certificate first, then the Digicert certificate.

-----BEGIN CERTIFICATE-----
... our organization's certificate ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... Digicert certificate I just downloaded
-----END CERTIFICATE-----

This is the step I'm least confident about. I'm basing it on the GitLab instructions:

Make sure you use the full certificate chain in order to prevent SSL errors when clients connect. The full certificate chain order should consist of the server certificate first, followed by all intermediate certificates, with the root CA last.

Does that just mean stick the two certificates together in the same file?

Anyway, I ran the reconfigure command and tested again:

sudo docker exec -it gitlab1 bash -c "gitlab-ctl reconfigure"
...
echo | gnutls-cli -p1443 myserver.myorg.org

I still get the same errors, including "Got a certificate list of 1 certificates." That makes me think that I didn't add the Digicert certificate to the chain properly. I also tried putting the Digicert certificate before our organization's certificate.

Just to make sure that the certificates are valid, I followed this post. The openssl s_server and openssl s_client worked fine together, so I think the problem is my GitLab configuration.