Images such as 16.4.1 / 2016Q4 are too old to be able to easily upgrade to the latest
mozilla-rootcerts package available in e.g. the trunk repository, and many root certificates are now unsupported.
To fix existing systems until they can be upgraded to a supported release, the following procedure can be used, though note it is very much a hack, and is e.g. overwriting package-managed files, but should otherwise be harmless.
As an example, 16.4.x systems are unable to verify the current certificate of Joyent Manta: