Oh, I tried removing the old DST Root CA X3 from trusted CAs, but something seems to pull it back in.
I thought I could remove it and reboot, and dirmngr would stop referring to it, but since something is pulling back into the trusted CAs, that’s not going to work.
I instead ran an sslabs text on keyserver.ubuntu.com and it turns out they still have the old DST Root CA X3 certificate as part of the certificate chain.
Not all apps are able to overlook that one of the cert paths is invalid. Discussed here.
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
I tried #1, which it seems I’m not able to, as the certificate is automatically reinstated.
#2 & #3 I think are out of my hands.