sendmail: Use cert and cert chain file seperately

For some reason sendmail didn't like fullchain file so seperate them.

roles/sendmail/tasks/main.yml

@@ -34,18 +34,32 @@
 - name: copy certificate
   copy:
     src: "{{ item }}"
-    dest: "{{ tls_certs }}/{{ mail_server }}-fullchain.crt"
+    dest: "{{ tls_certs }}/{{ mail_server }}.crt"
     mode: 0644
     owner: root
     group: "{{ ansible_wheel }}"
     validate: /usr/bin/openssl x509 -in %s -noout
   with_first_found:
-    - "/srv/letsencrypt/live/{{ mail_server }}/fullchain.pem"
+    - "/srv/letsencrypt/live/{{ mail_server }}/cert.pem"
     - "/srv/ca/certs/{{ mail_server }}.crt"
     - "/srv/ca/certs/{{ inventory_hostname }}.crt"
   tags: certificates
   notify: restart sendmail
 
+- name: copy certificate chain
+  copy:
+    src: "{{ item }}"
+    dest: "{{ tls_certs }}/{{ mail_server }}-chain.crt"
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+    validate: /usr/bin/openssl x509 -in %s -noout
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ mail_server }}/chain.pem"
+    - "/srv/ca/certs/ca.crt"
+  tags: certificates
+  notify: restart sendmail
+
 - name: copy sendmail config template
   template:
     src: sendmail.mc.j2

roles/sendmail/templates/sendmail.mc.j2

@@ -23,7 +23,8 @@ TRUST_AUTH_MECH(`GSSAPI LOGIN PLAIN')dnl
 define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI LOGIN PLAIN')dnl
 dnl #
 define(`confCACERT_PATH', `/etc/mail/certs')dnl
-define(`confSERVER_CERT', `/etc/pki/tls/certs/{{ mail_server }}-fullchain.crt')dnl
+define(`confCACERT', `/etc/pki/tls/certs/{{ mail_server }}-chain.crt')dnl
+define(`confSERVER_CERT', `/etc/pki/tls/certs/{{ mail_server }}.crt')dnl
 define(`confSERVER_KEY', `/etc/pki/tls/private/{{ mail_server }}.key')dnl
 define(`confCLIENT_CERT', `/etc/pki/tls/certs/{{ mail_server }}.crt')dnl
 define(`confCLIENT_KEY', `/etc/pki/tls/private/{{ mail_server }}.key')dnl