...
2020-06-02: There are reports from other NRENs that some TLS-inspecting software/boxes take exception to the expired certificates present in this chain. There is also reports of non-browser clients not working. To get an idea of what may break, you can have a look at documentation from Carnegie Mellon University on what has been affected (as they use Sectigo via InCommon).
If this affects you, update the chain to only include the GEANT CA certificate as described below.
What if we see "AAA Certificate Services" instead of "AddTrust External CA Root"?
...