Your request contacted a host which presented an expired or Invalid certificate when connecting to a site using a "Lets Encrypt" Issued Certificates.
DST Root CA X3 Expiration (September 30, 2021) and due to the cross signing nature of the certificate, the chain is being constructed with the expired cert.
You will need to remove the expired certificate from the Browser Trusted CCL and also the CA certificate list in the proxy. Below are the CLI commands to perform both functions.
edit ccl browser-trusted
delete ca-certificate DST_Root_CA_X3
NOTE: Please review additional information below. Additional Chain of Trust certificates affected by DST Root CA X3 cross-sign expiration is more broad than original thought. Details from 'Lets Encrypt', with hierarchy provided below.
NOTE: The way that proxy builds and validates certificates chains have been modified since the 184.108.40.206 version of code and as such, you should only experience this if running 220.127.116.11 and lower.
For more specific details see the article below from Let's Encrypt regarding the expiration.
Let's Encrypt Chain of Trust Hierarchy:
The root certificate ISRG Root X1 has also been linked to Let's Encrypt expiration issues as found in 'Chain of Trust' Hierarchy above. Being imported into CA Certificates, then into added to Browser Trusted for affected domains has proven to resolve this issue. If you find additional Let's Encrypt certificates affected, review the Chain of Trust Hierarchy to see if there is a certificate related that needs to be imported for the expired.
Note the Examples below for ISRG Root X1: