If anyone is using Traefik with Letsencrypt. Please use the preferred chain ISRG Root X1 in your ACME configuration.
Otherwise, it default fetches the cross signed from DST Root CA X3. So you get the chain mycert > R3 > ISRG Root X1 > DST Root CA X3. And OpenSSL seems to validate the entire chain. Even though ISRG Root X1 is a trusted root CA in your computer. I think LE assumed the cross-signed cert strategy would work in theory. But, in practice OpenSSL doesn't support this.