CURL can successfully download from sites with other issuers' certs, for example from Youtube. The site is behind a tightly locked FW, so I do not have much freedom in testing other sites.
The site on which CURL fails is considered secure by browsers, and having reviewed Letsencrypt cert installation documents I do not see any possibility for "misconfiguration": the cert is copied from live folder to Apache SSL.crt and SSL.key folders, then Apache loads them. What specifically could be misconfigured despite modern browsers considering the connection secure?
Meanwhile, are you able to review curl's latest cert and point me at the specific block within it, for Letsencrypt?
If the site is only sending the leaf cert rather than the full chain then browsers often adapt to the wrong config. But, tools like curl and openssl will not adapt and report an error.
What program did you use to get the Let's Encrypt certs for the server?
If certbot, what file did you copy to "SSL.crt"? Was it cert.pem or fullchain.pem?
What is the URL of the failing site? Or at least the domain name.
The CA Root store is part of each OS distribution. When using curl, inside or within php, you can also override the system CA Root store. Let's sort out the server config first and we can advise about the root store after if still needed.