To connect to LE-certified sites from clients with old openssl 1.0 (example: apt/wget in debian 8/debian 9) you need to remove expired certificate from your machine.
#dpkg-reconfigure ca-certificates
Then “Yes”. Deselect “mozilla/DST_Root_CA_X3.crt”! “Ok”.