Do you run it on CentOS? I think this comment is related: Nginx with preferred-chain "ISRG Root X1" - still showing "DST Root CA X3" - #31 by FelixSchwarz
it seems there is some issue in CentOS certbot package and the fix is on the way.
I have encountered the same problems on CentOS machines.