The certificate you’re using was generated by the staging (test) CA server. You probably passed --staging, --test-cert or something similar to the client. To get a fully-trusted certificate from the production CA server, don’t use either of those options when you’re calling the letsencrypt command.