Due to the recent trust chain changes we created new certificates for our staging environment in order to test these. We have in total four different certificates in that environment. When we got the new certificates, two of them had the new trust chain but two of them still had the old one!
I looked on crt.sh for the new certificates and the certificates listed there use the new correct trust chain. But the ones we received via certbot are not the ones that are listed there! The signatures does not match.
We're using certbot with certonly and providing a presigned csr, due to legacy reasons. If that makes any difference.