I can also confirm that we were served LE certificate with expired ISRG X2 cross signed intermediate causing old devices having issues to init connection to our servers.
This cert was provisioned by CLOUDFLARE to us, and until then previous certificate had correct chain.
Issue got resolved presumably by CF or LE sometime at 12AM on Sunday effectively causing reissue of the cert with reissued cross signed ISRG X2 intermediate. (previous one expired in 2025, now serving one expiring in 2032.
3 s:C=US, O=Internet Security Research Group, CN=ISRG Root X2
i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: May 13 00:00:00 2026 GMT; NotAfter: Sep 2 23:59:59 2032 GMT
So I think OP has point, and someone should definitely look at this in my opinion.
@kubajx29 I moved your post to its own thread. Your problem is distinct from the other which will need different debugging steps. Sure, the symptom you describe is similar but the causes are likely different.
Had you posted in the Help section initially you would have been shown a form asking for info. For now I don't think that is helpful but I do have some initial questions.
What is the domain name that was serving the wrong chain?
When did you first notice the problem with the chain?
You say Cloudflare provisions the cert and chain. Did you report the problem to them and what did they say?
What Cloudflare service are you using for that provisioning?
As a note, Let's Encrypt issues millions of certs per day. Without any details to start with it is very difficult to isolate the problem. We have seen a very small number of people that had issues when LE started issuing from its Y generation roots. But, so far we have only confirmed cases of mis-configured servers and not mis-issued certs.
It looks like Cloudflare is aware of an issue with their configuration of Let's Encrypt chains.
That makes me think the "someone" you want to look at it already is.
Hey guys,
thanks for moving the post to different thread and much thanks @petercooperjr for linking the CF post, we most likely missed the announcement from CF.
Since this was configuration issue at the CF I think we can close this one.
Again, thanks everyone