Understanding certificates and nginx-ingress

Hi,
trying to get my head around the certificate handling in rancher(2.3.6)/nginx-ingress.
Im using cert-manager.
Without appending ca.crt to tls.crt verifying with openssl:
openssl s_client -connect :443
will say:
Verify return code: 21 (unable to verify the first certificate)

OK, so I jumping into the nginx.conf on the ingress:
nginx.conf:
ssl_certificate_by_lua_block {
certificate.call()
}
ssl_client_certificate /etc/ingress-controller/ssl/-rpc-server.pem;

So, checking the pem:
-----BEGIN CERTIFICATE-----
server certificate
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
server key
----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
CA certificate
-----END CERTIFICATE-----

I would expect this to work, but i does’nt

If appending ca.crt to the tls.crt (cat server.crt ca.crt > tls.crt) it’s working fine, and the nignx pem will be:
-----BEGIN CERTIFICATE-----
server certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA certificate
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
server key
----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
CA certificate
-----END CERTIFICATE-----

So my question is this:
Why is it really necessary to have the CA twice to get the chain ok?
In my context, it makes using cert-manager/ipxe a bit troublesome.

br hw