It seems that the bundle contains 3 parts for the chain, 1 for the cert itself and 1 for the private.key
A added one extra to the chain (2 -> 3) and it works now for protector2.spam.exchange
So no bug but a missing cert in the chain.
The chain certificate can be uploaded but it's not mandatory.
they can get and upload a chain or intermediate certificate, so that those website will not complain any more