** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate
Zimbra ships their own versions of all those packages: zimbra-openssl-libs (not the issue) and zimbra-openjdk-cacerts (only very recently upgraded to include ISRG Root X1). But it seems their zimbra-perl-mozilla-ca, used for perl scripts, is also very out of date (2015), and does not yet contain ISRG Root X1.
Now show the command you ran that didn't like "ISRG Root X1".
It could have been a simple TYPO. certbot v1.21.0 definitely supports --preferred-chain
[weird how discourse displays the two consecutive dashes as dash space dash]
OK that is not something you "install"
It gets used in the certbot command line.
Like: certbot certonly -d EXAMPLE.com --preferred-chain "ISRG Root X1"
It tells certbot to request a cert with that chain.