Looks like something changed in certctl and now it wipes the directory when writing the CAs which also wipes out the CA files from the cert manager.
Try this diff and see if it helps, and keep in mind that certctl rehash can take up to a few minutes to run, so check ps uxaww | grep certctl and make sure it's done before you try running any commands.
diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index be5a0de777..5b7735d191 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -2371,6 +2371,8 @@ function ca_setup_trust_store() {
safe_mkdir($trust_store_directory);
unlink_if_exists("{$trust_store_directory}/*.0");
+ mwexec_bg('/usr/sbin/certctl rehash');
+
foreach (config_get_path('ca', []) as $ca) {
/* If the entry is invalid or is not trusted, skip it. */
if (!is_array($ca) ||
@@ -2382,7 +2384,6 @@ function ca_setup_trust_store() {
ca_setup_capath($ca, $trust_store_directory);
}
- mwexec_bg('/usr/sbin/certctl rehash');
}
/****f* certs/ca_setup_capath
If that doesn't help there are more options just needs some experimentation to figure out the best path forward.
EDIT: It's also worth noting that Let's Encrypt CA chains are in the OS default trust store already so any custom entries that are duplicating Let's Encrypt CAs in the chain may be conflicting with the built-in copies.