I tried to generate a "ISRG Root X1" certificate chain using command:
certbot certonly --manual --config-dir ./etc --logs-dir ./log --work-dir ./ --csr prime256v1.csr --preferred-chain 'ISRG Root X1' -d '*.ttc.icu' -m 'email@example.com' --agree-tos --no-eff-email
since "DST Root CA X3" has already been expired and safari will show the following certificate expiration error:
So, how can I create a 'ISRG Root X1' chain certificate and why the R3 is also expired according to safari? If it is expired, why it's keeping signing new certificates?