I believe the certificate used for Dex and OnDemand would both need to be trusted by the systems trust store. Here is one past topic that looks very similar: Ood1.8 fresh install on Centos7.8 with Apache/2.4.34 - #14 by kketchmark
If I had to guess you need to add the LetsEncrypt chain.pem from live directory to anchors directory and update trust store. I’m not sure why this would be necessary unless the ca-certificates on CentOS 7 is too old to contain the LetsEncrypt chain or something.
One possible solution is using fullchain.pem with Dex rather than cert.pem, not sure if that would change behavior.
We only have 1 system using LetsEncrypt and I’m not even able to use chain.pem to validate cert.pem. It’s like the “ISRG Root X1” issuer cert is missing on CentOS 7. I found this: Let’s Encrypt change affects OpenSSL 1.0.x and CentOS 7 | by Dorai Ashok S A | Dev Genius and even though using --preferred-chain "ISRG Root X1" I am still unable to validate with openssl on CentOS 7.