Quote
Yes looks like they're self-signed. Do they need to get a cert through letsencrypt or similar in order to prevent that?

Yes, they would. I believe one of the reasons that some networks are still using self-signed certificates and haven't moved to Let's Encrypt is that it takes a lot more work to get multiple, volunteer server hosts to synchronize their SSL certificates.