diff --git a/.travis.yml b/.travis.yml
index e4ced915c6..f2b16150e6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -39,6 +39,20 @@ install:
   - pip install --upgrade "setuptools<=39.2.0; python_version < '3.9'"
   - pip install --upgrade -r requirements.txt -r dev-requirements.txt
   - python setup.py develop
+before_script:
+  # deal with Let's Encrypt's ISRG Root CA X1 being cross-signed by an expired root
+  # only needed on trusty - mark the bad cert disabled in conf, update ca-certificates
+  # bundle, then remove the .crt file completely from the only place it should remain
+  # finally, monkeypatch certifi to use the system's fixed one (as of 2021-10-05,
+  # certifi still stubbornly bundles the expired root;
+  # see https://github.com/certifi/python-certifi/pull/162
+  # and https://bugzilla.mozilla.org/show_bug.cgi?id=1733560 for updates)
+  - if [ "$TRAVIS_DIST" == "trusty" ]; then
+      sudo sed -re 's#(mozilla/DST_Root_CA_X3.crt)#!\1#' -i /etc/ca-certificates.conf;
+      sudo update-ca-certificates;
+      sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt;
+      cp /etc/ssl/certs/ca-certificates.crt /home/travis/virtualenv/python3.3/lib/python3.3/site-packages/certifi/cacert.pem;
+    fi
 script:
   - make travis
 env: