On September 30 2021, DST Root CA X3 expired which affected a lot of websites including my email provider and TMO.

But I decided not to give up so I started looking into it. Apparently ISRG Root X1 is added in a CSSU update (i'm on testing) but for some reason it ignored the existent of the CA.

After some further digging, I found this note on updating certs so I tried it: parse certdata.txt, transfer certs folder to MyDocs and run cmcli as said, still doesn't work

So out of the blue I decided to just google "isrg root x1" and check out Let's Encrypt Chain of Trust.
On that page I found root certificates along side with it's PEM files, there's another version with it cross-signed with DST X3 and that's something I never tried before as most of the certs on the device are self signed.

I downloaded it and installed it on the device, lo and behold, TMO now loads on my N900 without an error and my email now works again!

For good measure, I installed the ISRG X2 cert as well. Now my N900 on Fremantle is useful again.

tl;dr version

1. Go to this page https://letsencrypt.org/certificates/
2. Download "Cross-signed" version of ISRG Root X1 in PEM format
3. Transfer the file to the N900
4. Open Settings and navigate to "Certificate Manager"
5. Import the certificate, accept the default and enjoy!