@enricof plugins.security.ssl.http.pemcert_filepath should contain only intermediate CA + root CA.
Please be aware that the admin certificate should be signed by the same Intermediate/RootCA as the node cert. If they’re different then you need to add the admin’s RootCA to that chain.pem file too.
-----BEGIN CERTIFICATE-----
< intermediate CA cert>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Root CA cert >
-----END CERTIFICATE-----