Java currently does not trust the root certificate Let’s Encrypt uses. You will have to manually import the root certificate into your Java key store. Here’s an example script showing how you would do this.
I believe Oracle is scheduled to include the IdenTrust’s DST root certificate with an upcoming Java update in July, so once this version is deployed, this should not be necessary anymore.
Side note: The example script does not actually import the IdenTrust root certificate, but rather the ISRG root (which is not currently in use) and the intermediate certificates used by Let’s Encrypt. This works just fine and you probably don’t need to care about this, but if you want to do it Just Right™, you might want to just import this one certificate instead: https://www.identrust.com/certificates/trustid/root-download-x3.html
