The issue is definitely the expiration of the old CA.
However, the web browser seems to pull the correct certificate from the firewall (nextcloud is behind HAproxy). It is from ISRG Root X1 → R3 → my wildcard cert.
However, the application seems to want to access some local copy of the certificate, and gets the error:
The issuer certificate of a locally looked up certificate could not be found
Issuer: DST Root CA X3
Which is of course understandable, since DST Root CA X3 doesn’t exist any more, old CA that expired.
So now, where is the certificate that the app is locally attempting to access and how do I delete it?
So far this is only happening for me with the Windows client and I don’t have anything special running in front of my Nextcloud server except a standard Untangle firewall. All my android devices are fine as well as the desktop app on Linux. So there’s no where I know of to delete/refresh any certificates to try and solve this.
I have Nextcloud running behind a Windows IIS reverse proxy. Windows IIS is the machine serving the certificates. Running an SSL test (SSL Server Test (Powered by Qualys SSL Labs)) showed that my server was returning the wrong (expired) intermediate certs. (Apparently browsers and other software are smart enough to go download the correct certs from their origin). Looking through the certs on the machine showed only the correct new certs. Rebooting the machine fixed it, which leads me to believe Windows was serving cached copies.
I ran through and checked the SSL test site given by Mike3. I am using LetsEncrypt and I noticed that it showed two certificate paths. The #1 path was the one to the proper “ISRG Root X1” cert. There is another #2 path to the “DST Root CA X3” which shows invalid. So seems some things are following the proper #1 path and others (Windows clients) are not?
Tried restarting the web server. Still same issue.
Since it’s easy/free to renew LetsEncrypt, I just forced an early renewal for my nextcloud domain, restarted the webserver and now things are working. What a pain.
Try this to disable use of the expiring R3 in your chain [Windows OS]:
Open certlm.msc from CMD (win+r), expand the tree for  Intermediate Certification Authorities > Certificates and for  Untrusted Certificates > Certificates.
Drag R3 issued by DST Root CA X3 from  to , this will disallow the expiring R3. Don’t do this for R3 issued by ISRG Root X1
Ensure you have R3 issued by ISRG Root X1 installed in Intermediate Certification Authorities > Certificates, if not you can get it from https://letsencrypt.org/certs/lets-encrypt-r3.der and install it to that store.
Check your served chain again, you may need a reboot.
Попробуйте это, чтобы отключить использование истекающего DST Root CA X3 в вашей цепочке [Windows OS]:
Откройте certlm.msc через CMD (win+r), разверните дерево для  Промежуточные центры сертификации> Сертификаты и для  Недоверенные сертификаты> Сертификаты.
Либо через поиск найдите все DST Root CA X3 сертификаты (в моём случае их 2) и удалите их.
После чего, следует проверить наличие сертификата ISRG Root X1, установленный в Промежуточные центры сертификации> Сертификаты, если отсутствувет, вы можете скачать его по ссылке https://letsencrypt.org/certs/lets-encrypt-r3.der и установить.
Возможно, вам потребуется перезагрузка. Это решение мне помогло.
I split the topic since here it doesn’t seem to be related to the expired certificate rather the new one that is not included in the local varstore. Is that something that has to be done in Windows directly? Or is there something the desktop client can fix as well since the web browser doesn’t show an error?
For others (like me) who take too late to actually read the bugreport, the solution is to simply browse to your Nextcloud URL in Edge Browser. After that I was able to login using the Nextcloud client successfully.