@erglazier I do not have much to add but maybe this will help.
Based on the verification error I was going to say you are missing the ISRG Root X1
from your trusted store - especially noting the older Ubuntu 16.
But, then I saw your openssl command did not have errors so now not sure. Do you by chance have your openssl cfg setup to use an alternate trust store?
FYI, the acme-v02.api.letsencrypt.org cert chain no longer includes the expired DST Root X3. Note the LE websites still do for compatibility with older Androids. So, the chain is just:
Certificate chain
0 s:/CN=acme-v02.api.letsencrypt.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
For some reason this is not verifying for certbot. Hmmm
What is your openssl version? I am wondering why it worked.
Here is a thread about Ubuntu root store. You are very knowledgeable so maybe something will inspire you
Post back if not resolved. There is more to look at if need be.