Sep 30 16:07:31 itsalive charon-nm[35455]: 03[CFG] no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Sep 30 16:07:31 itsalive charon-nm[35455]: 03[CFG]   issuer is "O=Digital Signature Trust Co., CN=DST Root CA X3"

strongswan pki --verify --in /etc/strongswan/ipsec.d/cacerts/lets-encrypt-x3-cross-signed.pem --cacert /etc/strongswan/ipsec.d/cacerts/dsa_root.pem 
  using certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
  using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3"
  reached self-signed root ca with a path length of 0
certificate trusted, lifetimes valid