This is the same issue as found in this other thread:
The server in question sends a fully invalid certificate chain. Modern browsers fix this on-the-fly, but non-browser (e.g curl) does not.
The server needs to send the chain as fetched by the ACME client. There's a severe misconfiguration on the server.
It is possible that your software (ISPmanager) is just out of date and needs updating, as Debian 9 is old.