Incorrect Certificate Detection with ECDHE_RSA suites

[RobbieDubya]

Description
SSLyze incorrectly reports on RSA certificates when the only RSA suites are ECDHE_RSA suites but ECDHE_ECDSA suites are available.

To Reproduce
Use any recent version of SSLyze against the following nginx configuration.

server {
    listen 9998 ssl;
    server_name localhost;

    ssl_certificate /certs/rsa.crt;
    ssl_certificate_key /certs/rsa.key;

    ssl_certificate /certs/ecdsa.crt;
    ssl_certificate_key /certs/ecdsa.key;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
}
server {
    listen 9999 ssl;
    server_name localhost;

    ssl_certificate /certs/rsa.crt;
    ssl_certificate_key /certs/rsa.key;

    ssl_certificate /certs/ecdsa.crt;
    ssl_certificate_key /certs/ecdsa.key;

    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";
    ssl_prefer_server_ciphers on;
}

Scan both :9998 and :9999.

Note that 9999 reports only 1 detected certificate despite correctly detecting RSA cipher suite.

Expected behavior
Correct number of certificates reported, and certificates match needs reported cipher suites.

Python environment (please complete the following information):
Not relevant.

Additional context
Root cause is using RSA cipher list in _get_cert_chain.py:get_certificate_cain. This is equivalent to kRSA. What is intended is kRSA:aRSA. The RSA list will run the certificate gathering connections with all RSA key exchange suites turned on, ignoring the aRSA suites supported by the target server.

Example bad fix: