Remember that there is no such thing as "a cert that only points to ISRG Root X1". When you configure your server to present the chain Your Cert <-- R3 <-- ISRG Root X1, that acts only as a hint to browsers. Browsers are free to ignore that hint, and instead build the chain Your Cert <-- R3 <-- DST Root X3 during validation.
To double-check that your server is providing the chain you want, you can use a tool like certigo:
$ ~/go/bin/certigo connect api-isrg-root-x1.maishameds.org --verbose
** TLS Connection **
Version: TLS 1.2
Cipher Suite: ECDHE_RSA key exchange, AES_256_GCM_SHA384 cipher
** CERTIFICATE 1 **
Serial: 331862780954954513440435273324005883452576
Valid: 2020-12-03 04:09 UTC to 2021-03-03 04:09 UTC
Signature: SHA256-RSA
Subject Info:
CommonName: api-isrg-root-x1.maishameds.org
Issuer Info:
Country: US
Organization: Let's Encrypt
CommonName: R3
Subject Key ID: 49:CC:A8:EE:8A:02:54:39:36:FC:49:DD:E6:C1:59:E8:72:09:7E:9E
Authority Key ID: 14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Basic Constraints: CA:false
OCSP Server(s):
http://r3.o.lencr.org
Issuing Certificate URL(s):
http://r3.i.lencr.org/
Key Usage:
Digital Signature
Key Encipherment
Extended Key Usage:
Server Auth
Client Auth
DNS Names:
api-isrg-root-x1.maishameds.org
Failed to verify certificate chain:
x509: certificate signed by unknown authority
As @Osiris pointed out, it looks like you're currently not serving a chain at all; you're only serving your end-entity certificate and not providing an intermediate. You shouldn't need to download any of our certs from https://letsencrypt.org/certs/, instead simply use the fullchain.pem file which was supplied by your certbot invocation.