You will like this answer - do nothing
There is nothing wrong with your cert chain. whynopadlock gives a false alarm due to expired DST Root CA X3
at the end of the chain. This is not a problem. This website also has a cert chain ending in the DST cert. We call this the "long chain" and is used for best compatibility with older Android clients.
See other sites that test cert chains better - like SSL Labs
There are some other issues about your site pointed out by both of these sites you may wish to address but the cert chain is not one of them.
For some background on this issue see: