I've manually renewed the Let's Encrypt certificates in question now and the optional expired path in the chain has now gone. This should resolve the client issue with ESET for us although I do question if it should have been necessary as the certificates were still valid. Anyway, I hope this helps.