We're encountering some weird TLS connection state related to the default usage of the system-ca that happens due to the following flow of events:

• User tries to connect to mongodb server
• Server issuer cert is Let's Encrypt
• Let's Encrypt issuer cert is ISRG
• There are two ISRG certs in the user system ca: one is self singed one, another is an expired one signed by DST (this sort of explains why this is a thing)
• When looking up the CA to verify the connection, the ISRG cert with the expired issuer is picked up first
• The expired DST cert is also part of the system CA list. Connection fails with the "certificate has expired" error

Also worth noting that while the issue can be reproduced with Node.js tls.connect method, it doesn't reproduce when using openssl directly and providing the same CA cert list, hinting that the issue might be a bug in Node.js