The certificate chain of that website is Leaf > R3 > ISRG Root X1 > DST Root CA X3 (expired). This is the default chain intended for Android compatibility. It has the disadvantage of not working for clients which validation the expiry all the way to the root certificate.
You can either turn off certificate validation in your program, see if there are any updates you can do (or extra urllib options you can set) or change your service to use the ISRG Root X1 chain.
Installing the certbot-nginx is not really useful if you're actually not using the plugin at all. And you're not using that plugin, as you're using certonly (so no installer plugin) and the webroot authenticator plugin, so no nginx authenticator plugin used.
In any case, the certbot from the PPA is quite old. It's probably wise to switch over to the snap installation method as described here: https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx (note that this quide actually does use the nginx plugin, but that's not really required: your solution with the webroot plugin is just as fine, so you don't have to change that.)
When you have a recent certbot version using snap, you can use the --preferred-chain option to choose the chain chaining up to the ISRG Root X1 root certificate.
Ensure you have the latest ca-certificates and openssl
Do: sudo apt-get update sudo apt update
Then, what shows: sudo apt install ca-certificates openssl
I don't know what to say about: urllib2
Other than, you might have a very old version of python... ?
If that can't be upgraded, you might get through this problem quicker by switching ACME clients.
As far as I'm concerned, that still would undermine the entire purpose of HTTPS. The whole purpose of a certificate is authenticating the other party. For encryption just Diffie-Hellman would be fine, but no, we have the whole certificate stuff for authentication!
Thank you for your suggestions. I have followed @Osiris 's recommendation to install Certbot using snap and generate a new certificate using --preferred-chain option. Now our Windows App can request websites normally.