The link @Osiris gave talks about an "alternate chain" that can be configured so your web server doesn't serve the copy of "ISRG Root X1" that points to the expired DST Root. Here's a bit more info on the difference between the chains.
Since you're on Linux using an up-to-date version of certbot with nginx, you should be able to use the alternate chain by including --preferred-chain "ISRG Root X1" in your certbot commands. I'm not exactly sure the best way to modify existing orders. But I'm sure others more familiar with certbot might be able to provide that guidance.