Wow, this openssl mailing list post has a much simpler solution for CentOS 6 / openssl < 1.0.2
Since openssl apparantly doesn't check the self-signature on root CA's, you can simply alter the expiration date of DST Root CA X3, and it will be trusted again. The following command fudges the expiration date to 30 September 2024 (the end-date of the ISRG Root X1 cross-signature) directly in the PEM-encoded certificate:
sudo sed -i s/xMDkzMDE0MDExNVow/0MDkzMDE4MTQwM1ow/ /etc/pki/tls/certs/ca-bundle.crt
This works 
no openssl upgrade needed!