Turns out we had a very similar issue as described here:
Our external legacy application that connects to our Discourse API is running on an old Windows 2008 R2 server.
For whatever reason, the Windows server and the Discourse server were unable to agree on a cipher suite after the recent Discourse updates were installed earlier this week. Whether some ciphers were altered during the update, or if this issue coincided with a LetsEncrypt cert renewal at the same time, I don’t know
Anyway, rather than edit our Discourse, I was able to add a couple of cipher suites to the Windows server that they both agreed on, again with the help of the SSL Labs link that @Falco shared above
I guess this was caused by the change of cipher suites during the upgrade to Debian. I would have expected that my addition of the elliptic curve certificate would have made this work on all older Windows systems, not just IE11. If I’m not mistaken IE11 uses the Windows crypto library…