I searched googel again and found the solution.
Workaround
First check that you have applied the pattern update which removes the expired DST Root CA X3 and applies the correct ISRG Root X1. To do this, proceed as follows:
Open the WebAdmin of the UTM. 1.
- navigate to Web Protection -> Filter Options -> "HTTPS CAs" tab
- check that the following entries are included under "Global Verification CAs":
Internet Security Research Group ISRG Root X1
Internet Security Research Group ISRG Root X2
If the entries are present, you have already applied the pattern update. 4.
If the pattern update has not yet been applied, navigate to Administration -> Up2Date -> "Overview" tab.
- you should be offered to update now under "Patterns". It is recommended to set the "Interval for pattern download and installation" in the "Configuration" tab not to manual, but to an automatic time interval, unless there is a valid reason not to install the pattern updates automatically
After checking for the pattern update, you must now check whether there are any old root certificates from Let's Encrypt remaining in the certificate management. To do this, proceed as follows:
- navigate to Webserver Protection -> Certificate Management -> tab "CA".
- remove all CA certificates whose expiration date has passed.
Check for certificates with the following fingerprint and remove them:
93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF.
- check that your Let's Encrypt certificate can now be renewed.
This was still present:
93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF.
Funny was just that I have renewed only 2 weeks ago still a Cert.
Nevertheless
Thanks for your help.