Configuring letsencrypt cert with nginx

What is the problem? Please be detailed.
I'm having trouble configuring a letsencrypt cert with Aggregate and nginx.
First I installed Aggregate (no cert) on tomcat8 on default port (8080) then installed enketo/nginx as per instructions skipping the ssl part: and redirected to /odk in nginx sites-available/enabled
This configuration works and I can use with Collect no problems.

Then I followed the enketo instructions to make a csr and use it with certbot and got three files:
0000_cert.pem, 0000_chain.pem and 0001_chain.pem.
I exported the cert with:
openssl pkcs12 -export -in $CERT_PATH/$CERT_NAME.pem -inkey $CERT_PATH/$CERT_NAME.key -out $CERT_PATH/$CERT_NAME.pfx
chmod 644 $CERT_PATH/$CERT_NAME.pfx
chown root:ssl-cert $CERT_PATH/$CERT_NAME.pfx
usermod -a -G ssl-cert tomcat8

and added to server.xml
sed -i.sslold -e '/<!-- Define an AJP/ i <Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" secure="true" scheme="https"
clientAuth="false" sslProtocol="TLS"
keystorePass="somepass" />'
-e 's//
/' /etc/tomcat8/server.xml

then I updated sites-available/enabled with this:

next I re-run the Aggregate installer with the ssl option (port 8443) and copy the war to webapps
finally restarted tomcat and nginx

When I go to everything seems fine I get redirected correctly to I can upload forms, change users, etc. but when I put in Collect I get "trust anchor for certification path not found while accesing".
I can't use Formuploader neither I get "Starting url: unexpected exception: PKIX path building failed: unable to find valid certification path to requested target" I tried with http/https/https:8443
Enketo isn't working either I get this results:
with I get redirected but secure connection failed
with I get this

every other combination gets: "There was an error obtaining the webform"
Also the ssllabs test says: "This server's certificate chain is incomplete. Grade capped to B." How can I fix this?

What ODK tool and version are you using? And on what device and operating system version?
I'm using Aggregate 1.4.14, Collect 1.9.1 and FormUploader 1.4.9

What steps can we take to reproduce the problem?

What you have you tried to fix the problem?
I tried to follow this but not sure which files should I concat and if I should replace cert.pem with it. Also most of the questions use apache and no csr so filenames are different.
I added this to my conf file but didn't work:
ssl_trusted_certificate 0000_chain.pem
ssl_trusted_certificate 0001_chain.pem

The altnames for the cert are: and Do I need also, etc.?
I'm using aws if I remove the inbound rules for 8080 and 8443 will nginx still redirect correctly?

Anything else we should know or have? If you have a test form or screenshots or logs, attach here.


I should've read more carefully.
Concatenate 0000_cert and 0000_chain and update the certs accordingly in nginx and tomcat.
A few links in case I get amnesia: