I've been in IT for a while, but I'm fairly new to PCI compliance.
One of the errors my scan is failing on is: SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)
The server seems to show 2 trusted certification paths.The only certificate that's not SHA256 is the last one at the bottom. Of course that's the Certification Authority certificate, so the fact that it's SHA1 shouldn't matter. See: PCI DSS scan failed - Help - Let's Encrypt Community Support
Or is there something else wrong?
I notice that the fingerprint in no.3 is different in both chains. Could that be anything?
Can I disable IIS sending the CA certificate (no. 4) as per Schoen's comment on March 6th here: