If anyone finds they are suddenly having trouble with Firefox or Thunderbird connecting to services that use Let's Encrypt certificates, check that your certificate includes the new R3 intermediate in the certificate chain.
Thunderbird (for instance) has a copy of the old X3 certificate in it's store, but not the R3, this means that if you previously skipped having the intermediate in your certificate chain file (which is usually a pem format file) and perhaps only used a certificate file with your leaf/end-entity certificate, then the certificate will no longer validate properly on some clients.
Yes, it should chain to it [may require additional client lookup to pass validation].
No, it wouldn't be included automatically when cert.pem is used alone.
[only when the fullchain.pem file is used (or cert + CA bundle - depending on ACME client)]
[and it would definitely NOT be included when the wrong intermediate cert is included - LOL]
Yes, in the case of certify it does pull down the chain and bundle it as a PFX, it's subsequent conversions by the user (or using the various export options) for use with various services/servers that may be missing the intermediate.
