Invalid or malformed certificate using caFingerprint

Can you explain why you decided to do this?
The out of the box configuration is designed to make everything work simply and easily without all this messing around. What was your motivation for changing it?

I suspect the problem is here:

xpack.security.http.ssl.certificate_authorities doesn't do what you think it does. It is used to validate client certificates. Since you aren't using client certificates, this line achieves nothing.

What you seem to be trying to do is provide the issuing chain for the server certificate. In Elasticsearch you do that by concatating the issuing chain with the server certificate.

See the explanation and example commands here

As it is, it doesn't looks like you have configured Elasticsearch to send the CA certificate over the wire, so the client cannot verify the fingerprint.

Is there a particular reason you want to use the CA fingerprint rather than just trusting the CA cert itself?
The fingerprint is a simple option when you use security auto configuration because the CA fingerprint is included in the node's output when it is set up, but if you're using your own cert then there's no real benefit to a fingerprint