I have installed your certifications in my domain from the past years but now i am trying to integrate with another service and they have notice that one of certificates in the chain is not valid more specific the certificate issued by DST Root CA X3 and i admit that I am bit lost in how to solve or ammend this problem. Any possible direction would be highly appreciated.. I have paste an screenshot of the complain of the service just in case it helps.
The DST Root CA X3 root certificate has expired. It's only used for Android compatibility for Android versions pre-7.1. Usually, TLS clients would just ignore the DST Root CA X3 and would validate the R3 intermediate signed by the ISRG Root X1 root certificate, provided that TLS client has this root cert in its root certificate store.
The link @Osiris gave talks about an "alternate chain" that can be configured so your web server doesn't serve the copy of "ISRG Root X1" that points to the expired DST Root. Here's a bit more info on the difference between the chains.
Since you're on Linux using an up-to-date version of certbot with nginx, you should be able to use the alternate chain by including --preferred-chain "ISRG Root X1" in your certbot commands. I'm not exactly sure the best way to modify existing orders. But I'm sure others more familiar with certbot might be able to provide that guidance.
Also the reason you can view the cert in Windows and the chain looks ok is because Windows knows DST Root CA X3 is expired and builds the alternate chain itself, but your actual service can still be serving using the the old chain. See also https://chainchecker.certifytheweb.com/
