** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate
Zimbra ships their own versions of all those packages: zimbra-openssl-libs (not the issue) and zimbra-openjdk-cacerts (only very recently upgraded to include ISRG Root X1). But it seems their zimbra-perl-mozilla-ca, used for perl scripts, is also very out of date (2015), and does not yet contain ISRG Root X1.
i used this command to install it: sudo snap install --classic certbot
The command you ran. :
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
Now show the command you ran that didn't like "ISRG Root X1".
It could have been a simple TYPO. certbot v1.21.0 definitely supports --preferred-chain
[weird how discourse displays the two consecutive dashes as dash space dash]
OK that is not something you "install"
It gets used in the certbot command line.
Like: certbot certonly -d EXAMPLE.com --preferred-chain "ISRG Root X1"
It tells certbot to request a cert with that chain.