@sasamilivojev I still see that you are sending out two different cert chains. One from Let's Encrypt. The other is from Comodo that expired almost 2 years ago and is even for a different domain name (orion.rs). You should remove the Comodo cert.
Even after removing that there is bad news. IIS will, by default, send the "short chain" for Let's Encrypt certificates ending in ISRG Root X1. This is known to be incompatible with Android devices before v7.1.1 which need the "long chain" ending in DST Root CA X3.
The two best options for IIS needing to support old Android are these:
- (Easiest) Switch to a different ACME CA that provides certs still compatible with the Android version you're targeting (maybe ZeroSSL)
- (Hacky/Unsupported) Tweak the Windows cert stores in such a way that it forces the OS to pick the long chain. (Guide)
These options come from an ACME developer who wrote about this here. He describes other options but they are more complicated.