For the SSL cert on the domain example.com, some tests tell me that the chain is incomplete and since Firefox keeps its own certificate store, it might fail on Mozilla (1, 2, 3). Others tell me it is fine, as does Firefox 36, which tells me that the cert chain is fine.
UPDATE: I tested on Opera, Safari, Chrome and IE on both Windows XP and MacOS X Snow Leopard, they all work fine. It only fails on Firefox < 36 on both OSes. I dont have access to test on Linux, but for this website it is less than 1% of visitors, and most are probably bots. So, this answers the original questions "does this setup bring up warnings in Mozilla Firefox or not" and "Is this SSL certificate chain broken or not?".
Therefore, the question is how do I find out which certs do I need to place in the ssl.ca file so they can be served by Apache to keep Firefox < 36 from choking?
PS: As a side note, the Firefox 36 I used to test the cert was a brand new install. There is no chance it didn't complain because it had downloaded an intermediate cert during a previous visit to a site that uses the same chain.
Best Answer
If the chain is sufficient depends on the CA store of the client. It looks like Firefox and Google Chrome have included the certificate for "COMODO RSA Certification Authority" end of 2014. For Internet Explorer it probably depends on the underlying OS. The CA might not yet be included in trust stores used by non-browsers, i.e. crawlers, mobile applications etc.
In any case the chain is not fully correct, as can be seen from the SSLLabs report: