My api domain is spiretown.fun
Running my domain through several certificate chain checking websites, all of them say my chain is correct, however I'm no expert and I might be reading the details wrong.
Update:
I updated the cached keychain on the ssl checker. My website is now sending a certificate chain without the expired CA. My solution was to change Certbot's preferred CA argument to be ISRG Root X1.
My new working cert chain:
https://www.sslshopper.com/ssl-checker.html#hostname=spiretown.fun