SSL handshake error with external OIDC provider

I have set up an external OIDC provider as an IDP in Okta.

I validated that the OIDC provider in question works when I integrate applications directly with it.

However, Okta fails to get an access/ID token after successfully redirecting with an authorization code.

Looking at the error log I see this:

Authenticate user with social login

failure : Unable to retrieve an access token for the Identity Provider

More detailed error:

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I presume this error is internally from Okta connecting to the OIDC token endpoint.
I’m confused why this is a problem since the domain in question for the token endpoint has a valid cert and doesn’t create problems when used with curl or from my browser.