You should not be terrified of updating CA certificates. That is a routine thing that should be current.
What does this say:
trust list | grep -E 'ISRG Root|DST Root'
Hopefully that works on Centos7 - not sure. There is different way if it does not.
Could your problem have started after Sept 30? On Sept 30 one of the root certificates for Let's Encrypt expired. You use the "long chain" of certificates that gives maximum support for older Android but at the expense of losing support for some others (older openssl and others notably). This is a complex topic and many many posts on this site for that. If you do not care about older Android clients (<7.1) then you could switch to using the 'short chain' but you will need to update your Certbot version. Or, you could use Certbot with a different CA (not Let's Encrypt). This article explains this in far more details than you will probably care to read.
Perhaps I or someone will suggest something for your php config to work. I can sympathize with frustration but in software things always change and you must adapt. It is a constant learning effort. It is not always fun but always necessary.