thank you. this explains what happened Sunday.
all of my web servers were serving the chain cert as well (via Apache httpd SSLCertificateChainFile). but I had a dovecot providing IMAPS that wasn’t (just had the cert and not the chain cert appended at the end).
And that IMAPS worked saturday but suddently failed Sunday. Was using the Apple mail client on IOS 11.2.6. Making dovecot use a chain cert (server cert with the intermediate appended) made Apple mail work again.
And I validated that with the rollback mentioned above, I could change dovecot back to just the server cert and Apple mail still worked. I then put the chain cert back in place since it is more correct.