Construct the PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem cat inter2.pem >> chain-server.example.com.pem cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
This applies to almost all OpenSSL based implementations. But it should be documented somewhere.
This post will probably end up in Google - so people will find it that way (including me, when I've forgotten this little detail at some point in the future)
It's a little bit different in Apache, where the user specifies a file containing intermediate certs - many of the CAs give instructions for adding that file in Apache, but they make no mention of OpenSSL/Kamailio/concatenating everything, so I imagine people will get stuck on things like this