GnuTLS (and hence tlstunnel and tlwebaccess/tlwebadm) will not accept a certificate chain where a subject/issuer pair in the chain are encoded in different ways.
E.g. the issuer field of the server certificate uses PrintableString but the subject of the CA certificate uses UTF8String.
This was forbidden in the original RFC 3280 so that distinguished names could be compared on a binary level. However RFC 5280 has relaxed this and requires the same comparison that LDAP does.
OpenSSL supports this case, but upstream GnuTLS seems to be very sceptical:
We have suggested a fix to upstream that they seem okay with:
Should be fixed now.
Tester should hopefully be able to use the instructions here to generate certificates that exhibit this issue:
Otherwise talk to me to use the ones I have.
Reproduced this problem on 4.11.0 where the full chain of certificates was not returned. Using the same certificates I tested this on build 6436 and the complete chain was returned.
To verify that certificates chains still works as intended I:
* expanded the chain
* tested with fewer certs
* issued multiple certs from one CA and switching between those.
to see if the complete chain was shown, which it was. It works fine now so closing this.