because it worked for ages only with the ISRG root x1 and an old chain (that chain was added later by the script).
now it's working.
this is the working script
#!/bin/sh
DOMAIN=example.com
DIRECTORY=/etc/letsencrypt/live/$DOMAIN
su - zimbra -c "zmcontrol stop"
/usr/bin/certbot certonly --standalone -n --agree-tos --register-unsafely-without-email --preferred-chain "ISRG Root X1" --keep-until-expiring --key-type rsa -d $DOMAIN
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
cat /tmp/ISRG-X1.pem >> $DIRECTORY/chain.pem
su - zimbra -c "zmcontrol start"
chgrp -R zimbra $DIRECTORY /etc/letsencrypt/archive
chgrp -R zimbra /etc/letsencrypt/live/
chmod 750 /etc/letsencrypt/live/
find /etc/letsencrypt/archive -type d -exec chmod 750 {} \;
find /etc/letsencrypt/archive -type f -exec chmod 640 {} \;
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm $DIRECTORY/privkey.pem $DIRECTORY/cert.pem $DIRECTORY/chain.pem"
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/$DOMAIN/cert.pem /etc/letsencrypt/live/$DOMAIN/chain.pem"
su - zimbra -c "zmcontrol restart"