Ok, glad to hear. You were using the --nginx plug-in for both authentication and installation. That was what you specified when creating the cert initially (I saw that in your messages). Usually that takes care of the renew automatically. I think you modified the nginx.conf manually afterwards so as to confuse certbot so it could not complete the task.
I was going to walk you through creating a cert fresh but glad that is not necessary. You have issued a new cert and are now serving a proper chain. I show it here just for fun.
openssl s_client -connect app.ppe.exchange:443 -servername app.ppe.exchange
Certificate chain
0 s:/CN=app.ppe.exchange
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
subject= /CN=app.ppe.exchange
issuer= /C=US/O=Let's Encrypt/CN=R3
notBefore=Nov 5 01:05:38 2021 GMT
notAfter=Feb 3 01:05:37 2022 GMT