default root list there, as isrg x1 isn't on list its likely effected by dst expiration. not sure if they actually check root CAS expiration date, if not longer chain (new default one) will still be effective. but it's list has other CA you'd be able to scramble even if not. but it be costly as most ca there are old so had ask them to sign cert chained to specific root