So I found this advice online for updating certs without having to worry about trusting expired old certs.
1. Visit https://letsencrypt.org/certs/isrgrootx1.pem to download the certificate, and save it in the Documents folder. 2. Open Terminal, paste this command, and press enter: sudo security -v add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ~/Documents/isrgrootx1.pem This eliminates the need for marking the expired DST root as special-case trusted.