macOS Server: How to remove self-signed root from website SSL cert chain?

macOS 10.13.6, Server.app 5.6.3 I'm using LetsEncrypt SSL certs. After updating a cert with certbot, I use openssl to export a PKCS12 file, then import that to the system keychain using "security" as follows:

# cd /etc/letsencrypt/live/www.brazoslink.net
# openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile fullchain.pem -out letsencrypt_sslcert.p12 -passout pass:(random passkey)
# security import letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P (random passkey) -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

This all works, no errors, the updated cert appears in Server Admin just as it should, and any services/websites using that cert are automatically updated to use the updated cert so I can delete the old version. All good. However, the cert that gets created in /etc/certificates contains the self-signed "ISRG Root X1" cert, which was not contained in the original LE cert. When I run the SSL cert tests at ssllabs.com, it complains, "Incorrect order, Extra certs, Contains anchor" and gives me a "B" rating. Can anyone explain what is going on here, and how I can fix it?