The reissue problem with acme.sh drove me nuts.
According to https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain the default is still 'DST Root CA X3'.
But even when I force reissued with --preferred-chain "ISRG Root X1" or Le_PreferredChain='ISRG Root X1' I got the fullchain with the now expired 'DST Root CA X3' in the chain
Certificate chain
0 s:/CN=domain.tld
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Somebody said that they had to re-issue the certificate. Since force didn't work. I tried to delete and issue again only to learn that acme.sh now uses zerossl by default.
https://community.letsencrypt.org/t/the-acme-sh-will-change-default-ca-to-zerossl-on-august-1st-2021/144052
Came across the switch to continue using letsencrypt
acme.sh --issue --domain 'domain.tld' --dns dns_pdns --debug --server letsencrypt
Trying to switch back with this is still unconfirmed since I had to give up because of the rate limits.
I really would have appreciated LE raising those limits during such vital changes.
For now I had to switch to zerossl to keep everything running
And I still don't know if it will be fine next time since I can only continue my tests next week.