We are running in to an issue with certificates signed by ISRG Root X1 not being enabled for client authentication on Windows. This was discussed before here:
After talking with Microsoft Premier support they stated that getting the cert enabled for client auth is a conversation that needs to happen between Lets Encrypt and Microsoft. They stated there was some back channel communication happening but asked that we also let Lets Encrypt know this is an important issue for us. We are putting pressure on Microsoft to move forward with this as well.
In short we rely on this feature for our setup with Microsoft Service Fabric and others have voiced support on mTLS grounds. Im hopeful that Lets Encrypt will take up getting this worked out before the old R3 cert expires on Sep 30th. If this is not something Lets Encrypt is interested in perusing a statement to that effect would also be helpful so we can move this service to a different provider before the old cert expires.