Fallen at the first hurdle: [notice] TLS :client: In state :certify at ssl_handshake.erl:2082 generated CLIENT ALERT: Fatal - Unknown CA

Could it be your PC accesses the internet through some corporate outbound firewall that intercepts HTTPS traffic, by injecting itself in the TLS handshake and presenting a certificate signed by a corporate CA that exists in your OS CA trust store but not in the CA trust store used by Hex?

Assuming you have the openssl CLI tool available, what does openssl s_client -connect repo.hex.pm:443 -servername repo.hex.pm show you under “Certificate chain”? Alternatively, if you open https://repo.hex.pm in a browser and you inspect the server’s certificate, what issuer(s) do you see?