I realize that likely this is not Certbot-related but have no idea where else to look for help.
When I run SSL Labs test on my domains they report, besides the 1st trusted chain, a 2nd untrusted chain:
Path #2: Not trusted (invalid certificate [Fingerprint SHA256: 0***************************************************************])
1 Sent by server *************
Fingerprint SHA256: 9***************************************************************
Pin SHA256: b*******************************************
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server R3
Fingerprint SHA256: 6***************************************************************
Pin SHA256: j*******************************************
RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server ISRG Root X1
Fingerprint SHA256: 6***************************************************************
Pin SHA256: C*******************************************
RSA 4096 bits (e 65537) / SHA256withRSA
4 In trust store DST Root CA X3 Self-signed
Fingerprint SHA256: 0***************************************************************
Pin SHA256: V*******************************************
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
EXPIRED
Weak or insecure signature, but no impact on root certificate
I suspect that the origin of the 2nd chain is the Apache server's certificate. I inherited it and have no idea of its origin. But what should I do about it? Ignore it and leave it as-is, or obtain/deploy another cert for it? It occurred to me to use one site's cert but it also occurred to me that doing so may create other errors or confusion.