How did you install the certificate? Because it’s probably not automatically installed by certbot.
Your Apache is serving two intermediate certificate: both incorrect ones, for Android that is. It’s sending the X1 intrrmediate signed by DST root. The correct root, but the incorrect intermediate (X1 isn’t used any more…) and the X3 intermediate signed by ISRG root. The correct intermediate, but (for Android) the incorrect root. You’d want the X3 signed by DST root
The ISRG root is not yet trusted by browsers in general. This is part of ISRG’s long-term strategy and the process will take years, both to complete the root program approval process with each root program, and to wait until old browsers that don’t contain the ISRG root stop being used in the wild.
@Osiris is right: the only certificate chain that is widely trusted by browsers today that you can use with currently-being-issued Let’s Encrypt certificates is the X3 intermediate signed by DST. That is available at
Most people installing a cert should never have to download anything at all from https://letsencrypt.org/certs/, because Let’s Encrypt clients normally handle this for you. For example, if you used Certbot, you have a file fullchain.pem which already contains this chain as provided by the CA at the time your cert was issued.
