Thanks. I am puzzled. The certs shown by the openssl are what we should see. And, they are not self-signed. So, I don't understand the cause of the error.
I see the openssl error about "unable to get local issuer" but that might be quirk of that particular openssl not using the Windows CA store properly. So, I'm ignoring that and just looking at the actual certs which are fine (also noting your cur/invoke-webrequest was fine).
Could you have some new kind of firewall, possibly on the server, which is affecting requests from certbot program that would not affect other programs? It would be a new program or new setting since you last got a good cert so in last 3 months.
There is an option that might allow you to renew.
BUT IT COULD BE DANGEROUS.
The self-signed cert error is a sign that something odd is between certbot and the Let's Encrypt server. It could be a MITM attack and ignoring it could create security problems. As a debug aid though, you could try:
cerbot renew --dry-run --no-verify-ssl
@Osiris I don't know python well but is there some debug code that could be easily added to the certbot scripts to display the self-signed cert details? That likely would tell us what is interfering.