I just moved your thread to the Help category. You would have been asked to answer these questions which would be very helpful to us
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Ah. There are two paths down the "long" chain you are using.
One ends at ISRG Root X1 Modern clients have that in their Trusted CA Store so stop validating when they see that.
Your SSLChecker only looked at the last cert and said it did not have that root in their store. Fair enough. That intermediate for DST Root CA X3 is used for older Android device compatibility.
This is changing this year anyway so I don't know it is worth it to report a bug to sslchecker. Starting next month the DST Root CA X3 is gradually being removed from the system.
See below blog post for more details on this transition