Hello again, everyone. Here is the situation as I understand it at this time. I say "at this time" because things are constantly evolving. There were actually two separate issues that happened at the same time, with one of those issues being outside of our control. The first issue, as you all know, is that Let's Encrypt expired their main root certificate yesterday. Normally, this would not have been an issue as these changes do happen, but the second part of the problem is what we didn't anticipate.
The second issue, is that Android is specifically not designed to handle expiration dates on root certificates, so even after Let's Encrypt's updated root certificate was released it included an "Android-friendly" CA bundle that caused issues with the OpenSSL verification process for many systems. When an SSL is issued we get three certificates: the domain cert, the intermediate cert, and then Let's Encrypt provides an additional intermediate certificate which currently points back to the old, expired certificate for compatibility reasons.
The autofixer patch we released basically chops off the third portion of the certificate, which some of you discovered was a valid way to get the certificate to install. However, this will only work for SSL certificates that have already been installed - since the Let's Encrypt plugin itself has not been updated, *new* certificates will still continue to experience issues. The autofixer is only able to fix certificates that already exist on the system.
Older devices that are not Android (I don't have a list of any type at this point) will continue to experience issues even after these updates are applied to the server, as those are issues specific to the software and security of the device/applications themselves.
Ideally, we are looking into a long-term plan where there is logic applied to the OpenSSL tools to detect the Android-compatible certificate and just remove it, as it's not something that is required, but at this time, switching to the cPanel/Sectigo provider is the most reliable solution, although so many people have been making that switch that there have been delays and ratelimits applied that are slowing this down as well.
If there's a tl;dr I suppose it is this: our autofixer is working well in most cases, but it is designed to be a short-term fix. We're currently looking into a more permanent resolution for Let's Encrypt users.