Does Safari or something show the Certificate Transparency information for the certificates? To be precise, the two embedded SCTs?
Some or all of the newer certificates you’ve mentioned have embedded SCTs from a newer log – coincidentally, the Oak log run by Let’s Encrypt.
Oak has only been Usable in Google Chrome since version 80, which was released in February, so Let’s Encrypt only started embedding SCTs from it recently.
(Let’s Encrypt uses a number of CT logs. Different certificates may have SCTs from different ones, even if they were issued around the same time.)
However, it has apparently been Usable in Apple’s CT implementation since December 2.
And I believe enforcement is designed to fail open – even if macOS somehow fails to update the list of supported logs for months, I believe it will disable enforcement, not reject good certificates.
I’m proposing this as a theory, but it should not be possible for it to go wrong.
Is there any documentation of what that error message means…?