When using client certificate authentication with a standard two-tier CA (root CA + intermediate CA), if the server is only configured to trust the root CA and does not have the intermediate CA in it's trust bundle, clients with a leaf certificate chain consisting of a copy of the intermediate CA and the end-entity CA cannot authenticate.

This appears to be a result of Npgsql only presenting the end-entity certificate (first certificate in the chain bundle) to the server, instead of the full chain.

This causes the server to reject the connection with messages like this:

2025-06-30 19:17:38.186 UTC [135385] [unknown]@[unknown] LOG:  08P01: could not accept SSL connection: certificate verify failed

Steps to reproduce:

1. Create root CA and use it to create intermediate CA.
2. Sign a leaf certificate with the appropriate details (subject matching DB user name, etc) using the intermediate CA.
3. Configure root CA only as postgresql server's ssl_ca_file
4. Concatenate intermediate CA certificate and leaf certificate into cerficate chain file: cat /path/to/intermediate.crt /path/to/leaf.crt > /path/to/chain.crt
5. Connect with PGSSLCERT=/path/to/chain.crt

I discovered this in the now-archived Readarr/Readarr project, which is using the latest version of Npgsql:
https://github.com/Readarr/Readarr/blob/0b79d3000d4e5f8425f499970b0190e2c421fceb/src/NzbDrone.Core/Readarr.Core.csproj#L26