btw, in my server which uses OpenSSL, I have the ssl\cacert\cacert.txt with all the CA certs. I updated it as needed with new CAs and their change or you can copy the cert to the directory and its read in.
Which one do I copy to cacert?
*-chain.pem or *-chain-only.pem
I copied both, is that why you saw a root cert?
I have to see why openssl v1.1.1.7 reported "wrong ssl version"