Just advising that this approach (which effectively means to just ignore the expiry of DST Root CA X3) will only work for a few years. When the cross-sign of ISRG Root X1 expires, this will no longer work. A more future-proof approach would be to include ISRG Root X1.
Trusting ISRG Root X1 was explained by @Ella here: