for that i get
echo -n | openssl s_client -connect hg.nginx.org:443 -servername hg.nginx.org
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mailman.nginx.org
verify return:1
---
Certificate chain
0 s:/CN=mailman.nginx.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
and it's still a problem for hg clone command
hg clone https://hg.nginx.org/njs/
abort: hg.nginx.org certificate error: certificate is for *.nginx.com, nginx.com
(configure hostfingerprint bd:90:5e:95:b4:51:d8:0b:b0:36:41:6f:99:a7:80:01:4e:cf:ee:c2 or use --insecure to connect insecurely)