Using CA generated PEM files for Dgraph tls

I’m trying to use LetsEncrypt-generated certificate/keyfile artifacts to allow a web app to query graphql. I tried placing the ‘fullchain.pem’ and ‘privkey.pem’ in the tls directory… Insomnia is OK with it but Chrome errors with ERR_CERT_AUTHORITY_INVALID.

dgraph cert ls yields

[Decoder]: Using assembly version of decoder
-rw-r--r-- ca.crt - <redacted-domain>.com certificate
        Issuer: Let's Encrypt
           S/N: 044d084b401XXXXde1b6ec6a8d4bc7bfd5e
    Expiration: 14 Feb 21 18:41 UTC
SHA-256 Digest: XXXXXXX 2BC75D05 139FAB42 F30E316F F2936468 C45380CF DB716D5B 6F9616D2

ca.key: error: Unknown PEM type: PRIVATE KEY

<snip>

I tried converting the privkey.pem to a DER formatted key via

sudo openssl rsa -outform der -in privkey.pem -out tls/ca.key

But that dgraph cert ls balks at that too

<snip>
ca.key: error: Failed to read key block
<snip>

Maybe someone has used CA generated PEMs before?

An update for anyone searching for how to do this… the correct command to change the PEM to a RSA key format that dgraph likes:

openssl rsa -in privkey.pem -out tls/ca.key

That made dgraph cert ls happy, but not Chrome. I then tried copying ca.crt to node.crt and ca.key to node.key and voila: Chrome is happy to connect to dgraph via SSL now.