When you "order" a Certificate from LetsEncrypt, you receive both the Leaf/EndEntity Certificate that covers your domain AND the Intermediate Certificate (such as R3 or R10) that corresponds to the PrivateKey used to sign your certificate.
The intermediate certificates were signed by the Trusted Root. R3 and R10 are intermediate certificates, which are subject to change without notice.
One of these two things likely happened:
- You changed the Intermediate Certificate when you didn't have to. e.g. your certificate was signed by R3 but you configured the server to use R10 as an intermediate.
- You did not change the Intermediate Certificate when you had to. e.g. your Certificate was signed by R10 but you did not update the server's configuration for the intermediate and are still serving the R3.