It seems the checkhost service can’t check domains with incomplete certificate chains. See e.g.:
Evidently it just returns “unknown: x509: certificate signed by unknown authority”.
Is it feasible/possible/worth it to preload it with the X3 intermediate or enable AIA fetching or something?
For numbers, IIRC there’s one other post where someone ran into this.