Almost certainly the problem is that you're not serving a certificate chain. A webserver needs the certificate, as well as an intermediate or two which "chain" back to the long-lived roots in the ca-certificates package.
What is the webserver (eg, nginx), and how is the certificate configured in it? Unfortunately there is some inconsistency in how this is set up.
A typical source of this error is giving software the cert.pem file, when it needs fullchain.pem -- to use the filenames certbot produces by default. Some other software takes the cert.pem and chain.pem seperately. (fullchain.pem is both of them combined)