As detailed in https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816, the new Let's Encrypt default issuance chain ISRG Root X1 <-- DST Root CA X3 triggers a certificate chain verification corner case that affects the following libraries:
- OpenSSL < 1.1.0
- LibreSSL < 3.2.0
- GnuTLS < 3.6.14
This issue as mentioned on the GnuTLS ticket affected AddTrust CA almost one year ago and the patch for the main libraries has been probably backported on the major linux distributions.