windows_certificate_filter doesn't add certificate chain

[jerveree]

What's wrong?

When I try to use the windows_certificate_filter block to define the TLS certificate for Grafana Alloy, the certificate is found in windows certificate manager, but the (intermediate) CA isn't added to the certificate chain during TLS handshake

Steps to reproduce

Use an alloy config with windows_certificate_filter block and verify with openssl s_client to check the chain.

System information

Windows Server 2022 AMD64

Software version

Grafana Alloy v1.1.0

Configuration

logging {
	level = "info"
}

http {
	tls {
		client_auth_type = "NoClientCert"
		windows_certificate_filter {
			server {
				system_store = "LocalMachine"
				store = "My"
				template_id = "1.3.6.1.4.1.311.21.8.102447—-"
				refresh_interval = "5m"				
			}
			client {
			}			
		}
	}
}

prometheus.exporter.windows "collectors" {
	enabled_collectors = ["cpu","cs","logical_disk","net","os","service","system"]
}

Logs

No CA, openssl:

---
Certificate chain
 0 s:CN=———
   i:DC=be, DC=UGent, CN=UGent ADCS Enterprise CA 02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 17 12:45:25 2024 GMT; NotAfter: May 17 12:45:25 2026 GMT
---

And connection fails with a decrypt error. Wireshark:

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Decrypt Error)
    Content Type: Alert (21)
    Version: TLS 1.2 (0x0303)
    Length: 2
    Alert Message
        Level: Fatal (2)
        Description: Decrypt Error (51)