Dex uses the system’s CA trust store to validate certificates and will fail if it thinks the certificate is self-signed. The only way to get around this is to ensure the SSL certificates CA is in the system trust store. First I’d recommend seeing if an update to ca-certificates package solves the problem, that will update the system’s CA trust store.
If updating ca-certificates RPM does not solve the issue the next step is adding the Let’s Encrypt CA to system trust store. Based on your script do something like this:
cp /etc/ssl/${DOMAIN}/letsencryptauthorityx3.pem.txt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Another thing that could be happening is if you used IP addresses and not hostnames present in cert then Dex will think the TLS cert is invalid. If you could provide the contents of /etc/ood/dex/config.yaml and remove anything sensitive.