Can you point me to the config docs for that server? I looked but cannot find them.
That set of certs you created includes the root trust anchor. If your clients actually trust it without confirming in their own CA trust store then you may have been able to use a self-signed cert. Sending the anchor is unnecessary and defeats the purpose of client verifications of trust.
You have a "short chain" and you can read about its compatibility here.
As an overview of the short and long chains there is this topic
With certbot 1.12 you should be able to use the --preferred-chain 'ISRG Root X1' option so you get the short chain returned in fullchain.pem. Then, apparently, you need to add the ISRG Root X1 root trust anchor to satisfy your server. That is probably easier to create than shortening the long chain and adding the root trust anchor.