Ah, solved my own problem.
I didn’t read far enough down on Let’s Encrypt Staging Root and downloaded the intermediate cert instead of the root cert from http://cert.stg-root-x1.letsencrypt.org/
For some reason curl and Go liked that better than Node.