SSL Labs reports 2 chains: trusted and untrusted

In short, that's normal. Compare yours to what SSL Labs shows for this forum website.

The default chain from Let's Encrypt is called the "long chain" and has multiple paths. The one with DST Root CA X3 is for compatibility with older android devices. A client (like a browser) only needs to find one trusted path. Most modern clients will see that path #1 is a trusted path and stop looking at the rest of the chain.

Probably more than you care to know but here is more info about this long chain and the alternate "short chain"