I did some research recently and have found that others have been reporting an issue with the lets encrypt certificate chain. It is related to the self-signed DSTx3 cert still being in the chain issued by let's encrypt on Ubuntu 18.04.6.

I have fixed the issue on my instance by doing the following, but we will need to review the issue for cert renewal.

1) Remove the APT install of certbot
sudo apt remove certbot

2) Install the Snap version of certbot which is newer than the apt repo
sudo snap install --classic certbot

3) Copy certbot to /usr/bin
sudo cp /snap/bin/certbot /usr/bin

4) Remove existing let's encrypt certs
sudo rm -rf /etc/letsencrypt

5) Request a new SSL cert with the correct chain using the ISRG Root X1 instead of the DST Root CA X3 which is defaults to
sudo certbot certonly --preferred-chain "ISRG Root X1" -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

6) Next to remove the older split intermediate certs and split the new intermediate certs
sudo rm -rf  /usr/local/share/ca-certificates/* && sudo cat /etc/letsencrypt/live/$FQDN/chain.pem|sudo awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "/usr/local/share/ca-certificates/intermediate-cert" n ".crt"}'

7). Next add the intermediate certs into the trusted store
sudo update-ca-certificates --fresh

8) Apply the correct owner and permissions to the new SSL cert and privkey
sudo chown -R root:sudo /etc/letsencrypt/
sudo chmod -R 750 /etc/letsencrypt/

9) next restart the zend daemon
sudo systemctl restart zend
zen-cli stop && sleep 4 && zend

As always if you have any questions hit me up below or on Discord.

Have a great day :)