Today I realized our OPNsense server stopped authenticating our roadwarrior users. The reason is Let’s encrypt changing its root CA certificate while our OPNsense router was not updated for a while. Manually executing the php script which updates certificate as described in this thread revealed that the script refused to update the certificate on the OPNsense router with message:
The certificate issuer does not match the certificate.
O=Let’s Encrypt, CN=R3, C=US,
I thought the solution would be updating the OPNsense router but it wasn’t 
I had to modify the script and change the CN=Let’s Encrypt Authority X3 to CN=R3 then the script works fine again, but I discovered that I could not renew the letsencrypt cert on nethserver, so I opened a separate thread after discovering that I cannot renew our letsencrypt certificate on our nethserver.