Summary: A few weeks ago I replaced/renewed the CERT on our website, which is hosted on Google Cloud with a load balancer (but currently running 1 site behind it). Since then, my personal browers and a couple of other co-workers can see the site no problem, however, traffic has dropped and even my mobile browsers are showing the cert is invalid. I probably missed a step somewhere, but I'm clueless as to where.
I imported the new cert into the load balancer and it still shows the next day etc. SSLLabs reports the cert is valid, but browsers do not.
FYI - I inherited this site so I don't know all the details but can get whatever is required.
[cloudshell-user@ip-10-1-83-141 ~]$ openssl11 s_client -connect www.vibuk.com:443
CONNECTED(00000003)
depth=0 CN = vibuk.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vibuk.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = vibuk.com
i:C = US, O = Let's Encrypt, CN = R3
---
In addition to your "leaf" cert, your system needs to send the "intermediate". I'm not especially familiar with whatever load balancer you're using, but generally one needs to use the "fullchain.pem" file instead of "cert.pem" so that it will include all the certificates. Hopefully that can get you at least pointed in the right direction.
The reason it will "sometimes" work is that browsers will often cache intermediates sent by the other sites, so if you've visited a properly-configured site that uses Let's Encrypt recently enough in your browser then you won't see the problem. (And Firefox does one better, and actually preloads all intermediates that it can ahead of time.) But to be sure to work all the time, you need to be sending the intermediates yourself.