To make the web more secure, Let's Encrypt issues certificates for everyone. They recently changed the root certificate, which is not a problem on its own.
But for a transition period, certificates may be signed by both (the old and the new) root certificates. An old openssl installation selects the older certificate and complains that it is expired.
ERROR: cannot verify www.jenkins.io's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
Issued certificate has expired.
To handle the situation on Ubuntu 16.04 (xenial), the site https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ has the working answer: disable the expired root certificate (DST Root CA X3) in the system. Use the following command to open the configuration dialog and disable the certificate mozilla/DST_Root_CA_X3.crt:
sudo dpkg-reconfigure ca-certificates
Now the app happily connects to servers with current Let's Encrypt certificates.