It’s also possible that some configuration changes are needed on the Launchpad side. It doesn’t seem to be serving up a full certificate chain:
$ openssl s_client -connect api.launchpad.net:443
CONNECTED(00000003)
...
---
Certificate chain
0 s:CN = launchpad.net
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
...
That is, it’s serving up its own certificate and the intermediary, but not the root certificate. I wouldn’t have thought this would usually be a problem, since the root cert would need to be on the system already for it to be trusted. But perhaps it makes a difference here?