Seafile client DST Root CA expiry

what I call by lazyload problem:

EDIT: Summary of the issue after discussion below and more fiddling around.

  1. Some W10 versions don't ship with ISRG root baked in
  2. If a browser (IE, Edge or Chrome) encounters an ISRG root signed certificate, it DOES lazy load the ISRG root and it DOES appear in the root store.

That being said, non-browser OS subsystems (like rasdial, maybe others) do NOT trigger this flow and the chain cannot be verified until the ISRG root is lazy loaded through a browser.

The real "issue" here is that Rasdial is referencing the on-disk root store without using the OS's built in validation routines, and therefore isn't able to take advantage of the OS's lazy-loading.

maybe seafile have same problem?