The problem is related to Certificate Transparency, and how Let’s Encrypt and many other CAs implement it.
- The CA issues a “precertificate”, which is just like the real certificate, except it has a special “poison” extension that tells clients it’s not a valid certificate.
- The CA submits the precertificate to some CT logs, getting back SCTs, proof that the precertificate exists and when they submitted it.
- The CA issues the real certificate, with a special extension containing the SCTs.
- Optionally, the CA may log the real certificate to CT logs, just for fun.
The precertificates cannot be used. The real certificates are bigger.
The website crt.sh is backlogged processing records from some CT logs, and consequentially final certificates from Let’s Encrypt do not show up quickly.
For your recent certificates, crt.sh only has the precertificates available to download.
The good news is that you can get the serial numbers from crt.sh and then use those to download the real certificates from Let’s Encrypt.
For example, your most recent (pre)certificate:
Serial number:
03:c3:bb:49:de:e5:2a:fc:5f:6a:28:88:78:76:2e:cf:d3:fb
Remove the colons and get:
03c3bb49dee52afc5f6a288878762ecfd3fb
And download the certificate (and intermediate) from:
https://acme-v02.api.letsencrypt.org/acme/cert/03c3bb49dee52afc5f6a288878762ecfd3fb