Perfect!
- Make a copy of
certificate.crtand name itca.crt. - Edit
ca.crtand delete the first of the three certificates in that file. You can tell them apart by the header and footer lines for each certificate. - Upload that
ca.crt.
It worked!
That's what I'm talking about! 
https://decoder.link/sslchecker/katearbon.com/443
You've even got the "long chain", which provides maximal compatibility. Many, many people have struggled here for the past week to achieve that.
Yay! Thank you so much for your help.
You might want to let Blacknight know that they need to update their Apache TLS/SSL configurations to:
- Remove TLS 1.0 and 1.1 support.
- Make sure the cipher suites their servers are using are strong.
Here's a great reference for them for both:
That will also help them fix their OCSP stapling issues as well.
What part of the report is indicative of the "long chain"?
Thanks, I'll inform Blacknight of the necessary updates.
If you look here:
https://decoder.link/sslchecker/katearbon.com/443
You'll see three certificates. The "short chain" is only the first two certificates (your leaf and R3). The "long chain" also includes ISRG Root X1.
I updated your SSL Labs test. You'll see it there too:
https://www.ssllabs.com/ssltest/analyze.html?d=www.katearbon.com&hideResults=on
You can ignore the CRL Error in certificate 3 and the expiration of certificate 4 (DST Root CA X3), which you can read about in the news worldwide at this point.
Thanks again. Sent you the price of a few beers. 
Thanks for the 
!
