So it doesn't seams to be a MitM, the chain seams to be correct.
Windows should trust DST Root CA X3... Somebody else seams to have the same problem [solved] Unable to access sites certified by Lets Encrypt .Windows 7 - #7 by wartburg
Can you check that: TLS connection to letsencrypt.org fails with Chromium and IE - #10 by rugk ?
It was caused by a setting I had modified. I disabled “Automatic Root Certificates Update ” (link 2 ) which is a technology of Windows to fetch missing root certificates from the Windows update servers to import them into the root certificate store.