I renewed my certificate on 30 Sepetember.
If I go to the a client I see the chain -> R3 -> ISRG Root X1
However my api is not accessible from legacy androids.
I am wondering if I have a problem with my cross sign and all.
What is the deal with the alternate chain and how can I check if I am serving the alternate chain from my windows server 12 R2.
It is difficult to serve the legacy chain from Windows if you are using IIS, because windows builds the chain itself and doesn't favor the DST Root CA X3 path (Apache and nginx are different, they provide the certificate chain in a file).
I'd recommend you switch to another ACME CA such as ZeroSSL if you have a mix of old and new clients to support.
Does this mean that the certificates we obtain from Letsencrypt by default contain the DST ROOT CA X3 chain as well. For apache and nginx servers the alternate chain can be served on priority while as in IIS there is no option of serving the DST ROOT CA chain because it is expired. Please confirm.