Our domains have been affected by the DST Root CA X3 expiration.
The only solution we found was to update certbot to at least 1.12 to have access to the --prefered-chain command to force ISRG Root X1.
The problem is that certbot only goes up to 0.31 with apt.
We tried snapd but it seems to not be compatible with our Ubuntu 16.04 (error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: unknown filesystem type 'squashfs')
Same goes for pip installation, which shows errors that seems to be linked to our python version.
Any help would be appreciated to update our certbot version, like many others, our system is down and clients are waiting.