OK, so I talked to my sys admin and he confirmed that most have expired root certificates and he advised me to add peer SSL verification to false where request is initiated. So I remembered I saw something about that, but then found this old topic. Then I found this setting is in /config/system.yaml, so in Admin went to Configuration > System > Advanced and have set Remote Verify Peer (SSL) to No
Now it works as expected (Grav news, plugins updates)
I suppose until every website fixes root certificates, will have to live with this option off