Pretty sure it was the DST root because I was seeing a cert expired error, and using the hack suggested elsewhere of changing the expiration date in the crt bundle with sed has mitigated the issue for the moment:
Haven't found config differences between servers, but noted below there was an issue with lets encrypt servers where they were serving the shorter chain for a time period , when most of my certs were either generated or renewed.
And yes, the old Centos 6 hosts have to connect to each other, as well as serving some pages to the general public . I've built some new hosts with current OS , but because of dependencies these three can't be lift-and-shifted at the app layer.
Am very relieved that in the short term everything is at least talking again - and to have an explanation for why the certs were different despite what should have been identical configurations.