dirmngr's certificate chain validation does not handle the new let's Encrypt root certificate correctly. When looking for the issuer of the intermediate certificate the first match ing certificate is used which might be the old second intermediate certificate then leading to the Root which expired on 2021-09-21. What we need to do is the same as what can be done with OpenSSL: Prefer trusted certificates ober the first found.. This way the old second intermediate certificate is not used but the new root.
Without a fix it is not possible to lookup any key with WKD or Keyservers because LE certificates are in such widespread use.
A workaround for this bug is to remove the intermediate certificate
S/N: 4001772137D4E942B8EE76AA3C640AB7 Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US sha1_fpr: 93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF
from the system's cert store.
We should also check the validation code in gpgsm.