After certificate renewal on multiple servers I administer (they have all been fixed manually now, so disclosing them here won't help), I'm still getting expired certificate errors when using tools like curl or wget to download something from those servers. It seems the ACME server is still sending the old ISRG root certificate, cross-signed by an expired DST Root CA X3 certificate rather than the self-signed new root.
Since tools like curl and wget aren't as smart as web browsers, they fail when they see the expired root.
Is there a way to reconfigure certbot somehow to issue chains with the new root rather than the old one ? Having to manually fix all chains after each renewal is pretty annoying.
Certbot is version 1.21 if that matters.