That doesn't seem to have taken effect:
openssl s_client -connect old-nginx.capuchin.co:443 -servername old-nginx.capuchin.co
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = old-nginx.capuchin.co
verify return:1
---
Certificate chain
0 s:CN = old-nginx.capuchin.co
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
You may have to reissue the cert using "--preferred-chain "ISRG Root X1" "