I'm just making this thread in the hope that people who encounter this problem will find it more quickly when searching the forum.
If you use the official Certbot package in OpenSuSE Leap, there is an operating system package default to request certificates from the staging (test) server instead of the production (live) server. The resulting certificates are not trusted by browsers and will produce a browser warning about an untrusted certificate. This is not the intended behavior by the Certbot developers because we expect that the default should be to get trusted certificates; for testing purposes, we've provided options such as --test-cert. The package sets this default in cli.ini, where many users may not think to look for it.
According to @Patches, we succeeded in getting OpenSuSE to change this default in Tumbleweed but the change has not yet (as of early October 2017) been ported to Leap and a user had problems with it recently.
If you encounter this problem yourself, it is easy to work around it by changing the cli.ini file so that it doesn't prefer the staging server.