Certificate not valid, expired root

Yes, that is likely. It would be helpful to know the OS version for the failing client and the versions of the browser(s). And, if the Chrome attempt was on that same machine or a different problem.

Some info I hope is helpful ...

You are sending the default "long chain" from your server. It is the same chain this website uses (and many others). Browsers make their own chains to adapt to poorly configured servers and other reasons. You cannot tell what the server sent looking at the browser info. Use a site like this one instead:

The DST Root CA X3 is not deprecated although it did expire. There are some tradeoffs involved in using this "long chain". Here is a good overview with other links about the DST expiration and the long and alternate "short" chain. Probably more than you care to know but at least some parts will be helpful.

When you learn the details of the failing client post back here and we can provide better instruction.