Certificates are hard. Using some CA software can help this process a lot.
Something is self signed in that chain(other than the root) start with checking the Intermediate authority, server and client certificates and see if any have the Issuer == Subject.
openssl x509 -in /path/to/server.pem -noout -subject -issuer
subject=CN = Example MongoDB
issuer=CN = Example Intermediate CA
openssl x509 -in /path/to/intermediate -noout -subject -issuer
subject=CN = Example Intermediate CA
issuer=CN = Example_ROOT_CA
Also inspecting the certificate chain presented by the server can be of value, following the appendix instructions there should only be one certificate as a bundle is not created.
echo Q | openssl s_client -connect hostname:27017 -showcerts