This is what I had to do to fix it for my Sectigo/Comodo certificate:

• edit the .ca-bundle
• replace the bad PEM with the good PEM (see attached files)

Longer story: the bad & good certificates have the same key (their RSA Modulus is the same) and the same CN ("USERTrust RSA Certification Authority"), so they can be interchanged, but the bad PEM has been cross-signed (issued) by the old, bad "AAA Certificate Services" (which is self-signed with the weak SHA1 algorithm). The good cert is self-signed with the strong SHA-384 algorithm.

If you feel uncomfortable downloading the cert from a forum (and you should feel uncomfortable), you can view the details of the good certificate here: https://crt.sh/?id=1199354

And you can download a copy of the PEM here: https://crt.sh/?d=1199354