As you may know, the DST Root CA X3 expired some time ago. The debops.pki role used to configure it as the root certificate for all realms that were issued by Let's Encrypt. Let's Encrypt has since switched to their own ISRG Root X1, and the DebOps role has been updated to reflect this. If you have the latest patches from the master or stable branches, new realms will automatically have the new root ca configured. This change will also be in the next DebOps release, which is planned for January 2022.
However, re-running the patched debops.pki role against all your hosts will not automatically update the existing realms. You can follow these instructions to update any old references to the DST root in your realms: https://github.com/debops/debops/issues/1860#issuecomment-986784054
If you have any comments about this, please put them in the linked GitHub issue.