Thanks for the clarification @webprofusion
I want to ask if this affects the Nuget versions too.
ALso if I compile and use a new build, what options should I use for --preferred-chain to prevent the issue.
The clients also reported the issue on Chrome, so I can't be sure it's an android-only problem.
Was it Chrome desktop? If so that shouldn't have any errors.
Hmm, if you fetched the certes cli using Nuget you might get NuGet Gallery | Certes 2.4.0-beta0001 which is a very recent update and internally it does know about preferred-chain options but as far as I know the cli doesn't have an option for it yet.
Certes has an unusual maintenance history as it was briefly orphaned but now may be maintained again(?).
I'd suggest using a different tool to get your PFX, any of these will work normally and follow the default DST Root CA X3 chain:
[Edit: or just use certbot then convert the resulting certificate to PFX. You also have the option with any of these to simply use a different ACME CA, such as BuyPass Go or Zero SSL, that way you can avoid the Android issue].
You replies have really been helpful. I will try some of the options you listed especially your app!
The app looks quite good and should work easily for our use case.
I think this is a recent beta version that may not be widely used and may have a bug, I haven't tried it myself - certes has a CLI and a library, Certify uses a version of the library (currently my own fork).