Here's a copy of a post I made elsewhere, I'm not sure if you saw it etc. I added a summary to the end of this post.
------------------
Hello, I have a macbook pro that's still running El Capitan 10.11. If I try to use Safari on this system, version 11 apparently, I get this when navigating to the Acorn site.
I seem to be able to drop into more details, and request that my system start trusting the issuing authority if I type in my device password, and I assume that'll get it working in Safari.
So, switching to a different browser, your site works just fine for me in whatever the most updated version of chrome is probably, but, also note that the root certificate being used appears to be issued from a slightly different authority:
So, your customer may or may not be being impacted by something like this, but most likely only if they are using an older system? I think this is the same error that Anahata experienced with his Android tablet. I'm not sure why one root certificate is being picked over the other, or, if one browser is simply displaying the chain in a different manner to the other, but, hopefully this gives you an idea of what to investigate.
------------
The website does work ok using Safari on a macbook air running OSX Mojave. In this situation, it still finds the X1 certificate, but Let's Encrypt's ISRG Root X1 is considered trusted by this system, as enough time has passed and the world has decided to trust them. They talk about the situation a little bit here;
https://letsencrypt.org/certificates/ Basically, my take is:
Your certs are present and correct, however, some people's devices do not trust the Let's Encrypt ISRG Root X1 authority which signed one of the 2 trust chains, because they're just slightly older devices and didn't know about this authority yet. There is supposed to be a path around this, and you do implement this on your page, but, for some reason, I think that it isn't always working when people visit your domain - potentially some browsers are 'accepting' the alt X3 cert, certificate, some are rejecting it. This leaves only the X1 certificate, which the system doesn't trust, so, we get this error.
Most likely, at this stage, I'd guess that there is some tiny 'mistake' in your site's configuration somewhere that is discouraging some people's browsers from using the backup DST Root CA X3 pathway, which most likely their system trusts, and this is why the site works on my system in chrome, but not safari, on the same system - I believe safari must have rejected one of the certs for some reason. SSL certs are like a can of worms, though, so, what qualifies as a mistake can be really questionable. You should be fine, but, some small thing is upsetting things somewhere, and it's generating this very aggressive information page to the user, which really isn't very fair to anyone.
edit - For posterity, I had a little thing/experiment, I would quickly like to link this in particular:
https://valid-isrgrootx1.letsencrypt.org/This is apparently Let'sEncrypt's reference website of 'check out how our cool SSL cert trust chain works!'. Importantly, it also doesn't work on safari on my system either, while it does in chrome, with exactly the same outcome wrt cert pathways. My guess is that the above link also doesn't work for anyone who has been having trouble accessing your website.
So, I dunno, if Let's Encrypt's reference, correctly set up example exhibits this behaviour, then actually I'm not sure anything is 'wrong' with the acorn page's implementation at all?
In any case, best of luck with it!