Since you can't control your clients then the safest way would be to start using some other CA issued certificates.
One possible CA would be ZeroSSL (https://zerossl.com). They offer also certificates via ACME protocol without any fee like Let's Encrypt (https://zerossl.com/letsencrypt-alternative/) and have a pretty good compatibility with older devices (https://help.zerossl.com/hc/en-us/articles/360058294074-ZeroSSL-Compatibility-List).
If you're already using certbot command line tool to manage your Let's Encrypt certificates then you can add few additional switches to it to start issuing ZeroSSL certificates instead:
$ certbot ... --server https://acme.zerossl.com/v2/DV90 --eab-kid XXX --eab-hmac-key YYYYou can get the --eab-kid and --eab-hmac-key values from ZeroSSL website after you've registered an account for yourself.