Post “https://hub.docker.com/v2/access-tokens/desktop-generate”: tls: failed to verify certificate: x509: certificate is valid for *.extern.facebook.com, extern.facebook.com, not hub.docker.com

Can you inspect the certificate (in a browser?) and paste it here?

Looks like something does an unexpected man-in-the-middle attack. Are you sure this is not caused by TLS inspection in your network? Companies often use TLS inspection to terminate the TLS context in a security appliance to scan it for malicious content. Usually they create a self-signed certificate on the fly with a company CA that is trusted by the clients. Maybe it is not properly configured?