There are some possible complex Windows cert store updates for your client's Server 2008. But I do not know Windows well enough. Perhaps @rmbolger or @webprofusion will have ideas. Or, as Rudy suggest, search this forum for that client system. They have problems reaching any site using the "long chain" from Let's Encrypt so may want help for a proper fix.
Without that, I can think of two options
-
Change your server to send the "short chain". This should allow your Windows Server client to work but will then not work for people using older Android clients. See this topic Long (default) and Short (alternate) Certificate Chains Explained for more details of this tradeoff and setting the short chain. You would also need to update your Certbot to a snap install to get a version that supports the preferred-chain option. Or you could make the short chain with manual edits - ack. You can confirm the short chain would help your Windows Server client by having them try this link: https://valid-isrgrootx1.letsencrypt.org If that works changing to short chain will help them - at least.
-
Use a different Certificate Authority like ZeroSSL or another free CA. This is sometimes needed if you need to support a wide variety of older clients. See this topic for how to change Certbot to do that. This may well be the most painless option in this case.