Obtaining a Let's Encrypt certificate that passes CipherString SECLEVEL=2 in OpenSSL

I think the server is likely running ancient OpenSSL and has the bug described on Chromium Docs - TLS SHA-1 Server Signatures

This is pretty easy to test in Chrome by going to chrome://flags and enabling the #use-sha1-server-handshakes flag.

This isn't a problem with the certificate, but with the software installed on the server. Sha-1 handshake signatures are being phased out by Chrome as mentioned in the above link, but OpenSSL on various linux distributions have also started doing the same.

The server reports it is running "Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.3.20". The bug exists in OpenSSL versions 1.0.1 up to 1.0.1i.

Note that version 1.0.1i was released in 2014, 9 years ago. Apache 2.4.3 is of a similar vintage.

You should seriously consider upgrading Apache and OpenSSL to a version that is newer and supported.