[user5994461]

Are you on LetsEncrypt currently? From my experience working on legacy enterprise, I'd say to stay on there. Add the flag and you will get a few more months out of it '--preferred-chain "DST Root CA X3"'

Android 6 is 2015. root and intermediates CA have a 10 and 5 year lifespan. I am afraid you might not be able to find something that work on old phones and new phones.

Even if you do find an older CA vendor that has an ancient CA and is willing to sign (you will be forced into an enterprise contract that will take months to negotiate), it's going to be retired anytime soon and break everywhere.

Last but not least. Old phones are stuck on old versions of SSL/TLS, they're not able to connect to recent websites irrelevant of the certificates. Your site is probably no exception and cut the old protocols a long time ago.