Okay, got if “fixed”.
Removed the full section about "Digital Signature Trust’ Root CA X3 cert from file
vi /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
and ran
update-ca-trust
manually.
Then (and only then) the available ISRG Root X1 takes over.
– with openssl you may force this with -trusted_first but not with Storeman 
Section starts with
[p11-kit-object-v1]
label: "DST Root CA X3"
and ends with the next empty line (after a lot of #-commented lines and before the next p11-kit-object-v1).
–edit
Please be aware that every file in that directory is read, so move any backup file one level higher (or elsewhere).