This is what is being served for the certificate
$ openssl s_client -showcerts -servername wave2.enkrott.com -connect wave2.enkrott.com:443 < /dev/null
CONNECTED(00000003)
depth=0 CN = wave2.enkrott.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = wave2.enkrott.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = wave2.enkrott.com
verify return:1
---
Certificate chain
0 s:CN = wave2.enkrott.com
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 11 15:35:01 2023 GMT; NotAfter: Jul 10 15:35:00 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgISBCiHhOzPLCDYpGks2KIRndHeMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA0MTExNTM1MDFaFw0yMzA3MTAxNTM1MDBaMBwxGjAYBgNVBAMT
EXdhdmUyLmVua3JvdHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA1FvHzWdeKPOVi79a/Tgmzg7ug4vws6mhLrLknajyrAYPzHVRq5Fhssyp8xOT
fKKJcgrT4uj4I1BAhT5DzrnpaEImTOPN/QA/T3DaOJ9pndfHAL3ZieK0I76BcGiH
gYmpv3YEkW81rLgQEZauSSPdirjdIT3Er2fZxL7R9gLebRq3zlPuBCUZt5Xz6KoW
q20TWeizTjJAMWeuH+Sh6/6zxTeByhUkIiDFqX3SuXsbm68Q0uTPIgjO1i1/C8Qx
xnNmlxAba6ezcszzqz4wte3RBMpocQMq7+IYORSrlKY1GHVTuVgIlMY06sk305MD
sCjYQC7LQ7fAUK/EiSgDwQvCDQIDAQABo4ICSzCCAkcwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBSqtk8/S/sX+gfgi0PYF5qQcgbJkzAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghF3YXZlMi5lbmtyb3R0LmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2ALc++yTf
nE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABh3ErstUAAAQDAEcwRQIgRyBO
SfKEFTLUj+HxOtyUzlPhpy1UGXDV3wGljbHCEW0CIQCA13XGqojJHD7OIaabdrpB
X7gXmrp99y0HBCQVQe7K+wB1AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlej
UutSAAABh3ErsuYAAAQDAEYwRAIgEU2Fb0L+flC0EMzm1nyt0w1dv3iLKjLAAlcb
cAJXtg8CIGIvUK4XpYV2EGLkg15q6mWR1dJZFyCIj3iTu+JMqTX2MA0GCSqGSIb3
DQEBCwUAA4IBAQAROUfq+BXtWiG+yrcopNsUGcJPdWuNdBylhIU+Mi6Da8nuVGvb
Srdr9rOhDfoGcNJiTvknIuJ+++Q+TmAX9LS7VnfDJljnJe2HWGmPX7SWNRkeDYHC
FXPbNiNLWm+CLPU6xFWInd3ji1Shv3AGDV0We2CxCZTbGsSHZXv5q4sDTxlHCOI2
iDwWACgDA5WZ7hYxlnt0ACa0MsnznN+1+4X4YtJxODJoyhrxpdyIkR9RCkIga4V/
C5o9s5eeF+b6v0hKZjtccmxRGGD+cnV5Sbhz2YCeAd1hxbygwBXxfJgMfVuC7cXq
57t6rg+xjwlQ4L0aWhhx3H5xdMua0k0tAAiN
-----END CERTIFICATE-----
---
Server certificate
subject=CN = wave2.enkrott.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1863 bytes and written 383 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: D5527036AA90A88D799660356F1A01E1419EC8577DD010A7DC33E8FB58AC6EF6
Session-ID-ctx:
Resumption PSK: 1F9CB805926D00BB6356B822A085281FCFAE968AA917C7CB2093741F4526DDEB
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - f8 7b e5 ce 2e 9d 6b 11-93 68 d2 11 4a 50 04 83 .{....k..h..JP..
0010 - 86 c8 8e 9d 6e 0b 83 ea-81 ab 42 f6 fe 9f 70 d0 ....n.....B...p.
0020 - a0 0d 6b 39 d3 c0 15 63-04 54 34 55 45 7d 4f 6e ..k9...c.T4UE}On
0030 - fc 09 1d ce 9e b6 f9 f0-6a be 35 08 c9 44 c7 15 ........j.5..D..
0040 - 99 c5 a4 a6 ad 17 96 19-b8 66 6c b4 b8 af 11 5b .........fl....[
0050 - 19 b4 4d f8 06 d3 2b 1a-54 36 df 42 74 b0 bc 2b ..M...+.T6.Bt..+
0060 - ad 96 70 85 c3 92 71 22-74 d2 4a da c0 01 2f fd ..p...q"t.J.../.
0070 - ee .
Start Time: 1684348267
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
DONE
See Verifying a certificate - #5 by jsha
I my opinion, in most cases client applications do not follow the proper methods shown there.
You can find information here Long (default) and Short (alternate) Certificate Chains Explained