Invalid certificate chain

Since the expiry of the DST Root CA X3 Let's Encrypt now offers two chains. One we call the 'long chain' which is what you describe. This long chain is the default and used by many websites including this forum site. There is also a 'short chain' that excludes the expired DST cert.

You can choose which one using certbot by adding --preferred-chain "ISRG Root X1" to the command. BUT, you must use certbot v1.12 or later for this to work so you would need to upgrade.

Most sites do not need to use the short chain. Please read this topic for a better understanding