I’ve seen a couple of cases where one had to clear the cache and restart Chrome before it showed the valid certificate.
Some browsers have a chain of trust cached which includes the old X1 leaf certificate - which LetsEncrypt has ended. They’ll “choke” when they get to that old cert and find it expired.
The predicament: Updated browsers are happy with the new shorter chain of trust whereas older browsers still want the longer chain of trust. It’s all about updating everything for more security.
One way of updating your server using acme.sh v3.0.1+ to use the preferred chain of trust is:
Preferred Chain · acmesh-official/acme.sh Wiki · GitHub
Set the shorter ISRG preferred chain system wide by default with letsencrypt and then renewing all certificates
acme.sh --set-default-chain --preferred-chain "ISRG" --server letsencrypt
acme.sh --renewAll --force
This is actually one of the very few times that the
--force flag is appropriate.
Beware though… older browsers may refuse the shorter chain of trust and will insist on getting the cert. This can also be downloaded as an alternate chain of trust. I believe Lets Encrypt has a link expressly for that purpose. I’ll hop on over there, get that and post it here.