Interesting, this looks to be specific to the TLS implementation used in Chrome which I believe is Boring SSL, derived from OpenSSL (which curl also uses). Your site works in MS Edge (which probably has different defaults to Chrome) and Firefox (which uses it's own TLS stack).
If I go to chrome://flags and search TLS, then Enable Allow SHA-1 server signatures in TLS. your site works. This may be a bit of red-herring because I don't see your server using a SHA-1 signature..