Hi! I am submitting this here because it’s not really a bug - at least not for Cloudron.
I have encountered the same situation with Android clients in my implementation of AdGuard Plus that is described here: Let’s Encrypt and DNS over TLS on Android.
Long story short, Let’s Encrypt’s expired X3 certificate causes problems for Android clients on DNS-over-TLS.
The issue can be mitigated by invoking the option
—preferred-chain “ISRG Root X1” when renewing Let’s Encrypt certificates, which excludes the expired certificate from the cert chain.
It's in no way a Cloudron bug, but since Cloudron handles certificate renewal, it seems to me to be the best place to insert a solution.
I believe Cloudron uses the ACME API in order to request renewals from Let’s Encrypt, and I would love to have the ability to specify the above option (or perhaps the ability to request other options as well might also be useful to others) within the Cloudron UI or API as part of the certificate setup/renewal.
Thanks for your time, and please let me know if you need any clarification at all.