Hi, for some domains the let's encrypt certificate is incomplete. It is not a fullchain certificate, it only contains the domain certificate without a ca certificate in the ssl.cert file. While trying to find out the reason, I've spotted that the ssl.cert file is created as a fullchain certificate first, and then it gets overwritten with a domain only certificate partial certificate. Perhaps it has something with the postfix or dovecot, because the certificate is used in the mail server as well.
incomplete letsencrypt certificate for some domains