Welcome to the forums, @Ecoit. I think your understanding of the situation is a bit confused. Let me try to clarify.
There is no way to un-expire or renew the actual DST Root CA X3 cert that expired. When ACME clients request a new certificate from Let's Encrypt, the default chain that is returned with that certificate contains a cross-signed copy of the ISRG Root X1 certificate signed by that now expired DST root on purpose to retain compatibility with old Android clients because they don't care that the DST root is expired and they don't trust the newer ISRG root because they're no longer receiving updates.
In addition to the default chain, ACME clients can request and use an alternate chain that does not include any references to the DST root, but requires that clients already trust the ISRG root.
The default/alternate chain situation is unfortunately more complicated on Windows servers because IIS does not allow any control over which chain is served with a leaf certificate. It cedes control of the chain building to the underlying OS which does care that the DST root is expired and will only serve the alternate (aka "short", aka non-old-android-compatible) chain without additional tinkering in the Windows certificate stores.
So if you're running a website on IIS without any sort of reverse proxy in front of it and you need to support old Android users, you have a few options:
- (Easiest) Switch to a different ACME CA that provides certs still compatible with the Android version you're targeting.
- (Hacky/Unsupported) Tweak the Windows cert stores in such a way that it forces the OS to pick the long chain. (Guide)
- Use an alternative Windows based web-server that doesn't rely on the OS to do chain building.
- Add a Linux-based reverse proxy that sits in front of your IIS server, terminates the TLS connections , and allows better control over which chain is being served.
- Use a service like Cloudflare that also acts as a reverse proxy