Certificate verify failed during renewal

@stuartp Welcome and good report.

Yes, starting Sept 30 the Lets Encrypt servers starting using a certificate chain that ends with ISRG Root X1. This change was in response to the prior DST Root CA X3 expiring.

There are many, many posts about this here.

You need to add ISRG Root X1 to your CA trust store. Right off-hand I do not know how to do this for your system. I just wanted to help you understand what has happened.

Here is some good background info on these chains:

Note the Lets Encrypt ACME API server uses the "short chain" while this website and the other LE sites use the "long chain"