Use Short/Alternate Chain by default

I am not expert with HAproxy. But, for most servers you can do it manually by removing the last cert in the fullchain.pem file. But, this is not the best because you need to do this manual step each time you renew the cert.

The best is to upgrade your certbot version. See for instructions on upgrading to snap version and removing your 0.40 version. Certbot v1.12 is needed to use this option which selects the short chain

--preferred-chain "ISRG Root X1"

You will lose compatibility for older Android - as you note. You may want to review this topic too