Sectigo Certificate chain rejected because End entity was signed with SHA1withRSA but my certificate was signed with sha256WithRSAEncryption

[ghettosamson]

Versions: Keycloak 26.1.0 in Docker and Postgres 16.6-alpine3.20. I am using BouncyCastle for my Keycloak in FIPS mode. My expiring certificate was signed by Entrust and I did not experience this issue. I have a new certificate signed by Sectigo with sha256WithRSAEncryption. I deploy my Postgres with my private key and certificate with chain. When I start my keycloak container and it attempts to connect to Postgres, I get the following error.

2025-02-14 17:18:40,576 INFO  [org.bouncycastle.jsse.provider.ProvTlsClient] (agroal-11) [client #2 @65a7da3b] raised fatal(2) certificate_unknown(46) alert: Failed to read record: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
	at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.checkServerTrusted(ProvSSLSocketWrap.java:131)
	at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:382)
	at org.bouncycastle.tls.TlsUtils.processServerCertificate(TlsUtils.java:4827)
	at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(TlsClientProtocol.java:797)
	at org.bouncycastle.tls.TlsClientProtocol.receive13ServerCertificate(TlsClientProtocol.java:1596)
	at org.bouncycastle.tls.TlsClientProtocol.handle13HandshakeMessage(TlsClientProtocol.java:160)
	at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:366)
	at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(TlsProtocol.java:715)
	at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:591)
	at org.bouncycastle.tls.RecordStream.readRecord(RecordStream.java:247)
	at org.bouncycastle.tls.TlsProtocol.safeReadRecord(TlsProtocol.java:879)
	at org.bouncycastle.tls.TlsProtocol.blockForHandshake(TlsProtocol.java:427)
	at org.bouncycastle.tls.TlsClientProtocol.connect(TlsClientProtocol.java:88)
	at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(ProvSSLSocketWrap.java:607)
	at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(ProvSSLSocketWrap.java:583)
	at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:51)
	at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:638)
	at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:201)
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:268)
	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
	at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:273)
	at org.postgresql.Driver.makeConnection(Driver.java:446)
	at org.postgresql.Driver.connect(Driver.java:298)
	at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:225)
	at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:580)
	at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:561)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:75)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: java.security.cert.CertPathValidatorException: Signature algorithm 'SHA1WITHRSA' not permitted with given parameters and issuer public key
	at org.bouncycastle.jsse.provider.ProvAlgorithmChecker.checkIssuedBy(ProvAlgorithmChecker.java:281)
	at org.bouncycastle.jsse.provider.ProvAlgorithmChecker.check(ProvAlgorithmChecker.java:163)
	at org.bouncycastle.jsse.provider.ProvAlgorithmChecker.checkChain(ProvAlgorithmChecker.java:213)
	at org.bouncycastle.jsse.provider.ImportX509TrustManager_5.checkAlgorithmConstraints(ImportX509TrustManager_5.java:106)

Attached find the Sectigo certificate chain.
Sectigo-Chain.txt

Is this a bug? If not, is there a way to tell BC to allow this? I've tried several things like removing the chain from the certificate, but Keycloak then complains that the certificate needs the chain. The way I am specifying the private key and the certificate in Keycloak is via the following environment variables, KC_HTTPS_CERTIFICATE_KEY_FILE and KC_HTTPS_CERTIFICATE_FILE and thats all I am providing. I also tried adding KC_TRUSTSTORE_PATHS but that didn't help.