Unfortunately that browser interface tends to be inaccurate.
If you check using e.g. openssl s_client, you'll see that the "ISRG Root X1" issuer is nowhere to be seen in the certificate chain on that domain.
. Not sure, seems like it should work.
Just for a sanity check: can you connect if you don't configure cacert at all?