The sites might complain about the expired root DST Root CA X3 (which is what you want I'm guessing?), but maybe they're complaining about something else.
Without knowing more details about the results of those websites (e.g., the actual chain send by the webserver) or the hostname you're testing it's hard to know.
This is exactly why the questionnaire MANDATES the mentioning of the hostname in question, where I'm assuming demo.com is NOT actually the hostname you want to fix. It's very tedious to have to work with just a little bit of information and have to request more info while it's usually a simple check when we know the actual hostname.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I don't know what you did to your webservers (note that "AWS EC2" is not a webserver software application, you're webserver is "Apache") chain, but it's sending indeed an incomplete chain. It's currently sending:
end leaf certificate signed by R3
intermediate certificate ISRG Root X1 signed by DST Root CA X3
It's missing the R3 signed by ISRG Root X1 intermediate certificate in between.
It's interesting that the fullchain.pem file contains the missing intermediate certificate. Prior to April, everything was working fine, including the SSL configuration. Then I tried to manually renew the certificate using sudo certbot renew
I am guessing you have a hook or other process to modify the fullchain file. And that this modified file is what Apache is using. Some people did that to create a "short chain" from the default "long chain". But, the "short chain" is now the default so trying to modify it can create problems.
sudo certbot certificates
Renewal configuration file /etc/letsencrypt/renewal/domain.conf produced an unexpected error: fullchain does not match cert + chain for domain!. Skipping.
There is actually a very easy solution to your DST Root CA X3. Certbot has an option to get the alternate chain that includes it. Although, this will only work until Jun6 (just a couple weeks from now). On Jun6 Let's Encrypt will no longer offer this alternate chain. See the article in post #2 of this thread.
But, you modified the file(s) in the Certbot /live/ folders so Certbot no longer works. Please do not modify files in the /etc/letsencrypt/live folders. These are managed by Certbot. If you must modify those make a copy in your own folder and use those.
I can help you get Certbot working again. If you want help with that show this
ls -l /etc/letsencrypt/live/www.pro.curiousfly.com