Getting invalid certificate error at various places

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
servraid.duckdns.org

I ran this command:
In PFsense, using the ACME plugins

/usr/local/pkg/acme/acme.sh  --issue  --domain '*.servraid.duckdns.org' --dns 'dns_duckdns'  --domain 'servraid.duckdns.org' --dns 'dns_duckdns'  --home '/tmp/acme/servraid.duckdns.org/' --accountconf '/tmp/acme/servraid.duckdns.org/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/servraid.duckdns.org/reloadcmd.sh' --log-level 3 --log '/tmp/acme/servraid.duckdns.org/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [SSL_CERT_DIR] => /etc/ssl/certs/
    [DuckDNS_Token] => ####
)

It produced this output:

[Fri Jul 10 15:49:32 EDT 2026] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Jul 10 15:49:34 EDT 2026] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Fri Jul 10 15:49:35 EDT 2026] Already registered
[Fri Jul 10 15:49:35 EDT 2026] ACCOUNT_THUMBPRINT='####'
[Fri Jul 10 15:49:35 EDT 2026] Using pre-generated key: /tmp/acme/servraid.duckdns.org/*.servraid.duckdns.org/*.servraid.duckdns.org.key.next
[Fri Jul 10 15:49:35 EDT 2026] Generating next pre-generate key.
[Fri Jul 10 15:49:36 EDT 2026] Multi domain='DNS:*.servraid.duckdns.org,DNS:servraid.duckdns.org'
[Fri Jul 10 15:49:37 EDT 2026] Getting webroot for domain='*.servraid.duckdns.org'
[Fri Jul 10 15:49:37 EDT 2026] Getting webroot for domain='servraid.duckdns.org'
[Fri Jul 10 15:49:38 EDT 2026] *.servraid.duckdns.org is already verified, skipping dns-01.
[Fri Jul 10 15:49:38 EDT 2026] servraid.duckdns.org is already verified, skipping dns-01.
[Fri Jul 10 15:49:38 EDT 2026] Verification finished, beginning signing.
[Fri Jul 10 15:49:38 EDT 2026] Let's finalize the order.
[Fri Jul 10 15:49:38 EDT 2026] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/2772785861/530832928206'
[Fri Jul 10 15:49:39 EDT 2026] Downloading cert.
[Fri Jul 10 15:49:39 EDT 2026] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/057c102198ace4b67dc6e4b69be55bfedc24'
[Fri Jul 10 15:49:40 EDT 2026] Cert success.
-----BEGIN CERTIFICATE-----
####
-----END CERTIFICATE-----
[Fri Jul 10 15:49:40 EDT 2026] Your cert is in: /tmp/acme/servraid.duckdns.org/*.servraid.duckdns.org/*.servraid.duckdns.org.cer
[Fri Jul 10 15:49:40 EDT 2026] Your cert key is in: /tmp/acme/servraid.duckdns.org/*.servraid.duckdns.org/*.servraid.duckdns.org.key
[Fri Jul 10 15:49:40 EDT 2026] The intermediate CA cert is in: /tmp/acme/servraid.duckdns.org/*.servraid.duckdns.org/ca.cer
[Fri Jul 10 15:49:40 EDT 2026] And the full-chain cert is in: /tmp/acme/servraid.duckdns.org/*.servraid.duckdns.org/fullchain.cer
[Fri Jul 10 15:49:40 EDT 2026] Your pre-generated key for future cert key changes is in: /tmp/acme/servraid.duckdns.org/*.servraid.duckdns.org/*.servraid.duckdns.org.key.next
[Fri Jul 10 15:49:40 EDT 2026] Running reload cmd: /tmp/acme/servraid.duckdns.org/reloadcmd.sh
 
IMPORT CERT servraid.duckdns.org, /tmp/acme/servraid.duckdns.org/*.servraid.duckdns.org/*.servraid.duckdns.org.key, /tmp/acme/servraid.duckdns.org/*.servraid.duckdns.org/*.servraid.duckdns.org.cer
update cert![Fri Jul 10 15:49:41 EDT 2026] Reload successful

My web server is (include version):
nginx 1.28.3 (included in SWAG docker), 2 unraid 7.3.1 server running nginx 1.30.1

The operating system my web server runs on is (include version):
Docker

I can login to a root shell on my machine (yes or no, or I don't know):
yes

When using a browser to visit my services, no problem. But when using an application (like Subsonic, UptimeKuma, Nodered (Etc)), they fail with CertPathValidator issue.

When doing a curl from Linux (ran from a docker and from unraid), I get the following error

####:443 was resolved.
* IPv6: (none)
* IPv4: ####
*   Trying ####:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
*   CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*   subject: CN=*.###.duckdns.org
*   start date: Jun 14 06:18:45 2026 GMT
*   expire date: Sep 12 06:18:44 2026 GMT
*   issuer: C=US; O=Let's Encrypt; CN=YR2
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   subjectAltName: "fileflows.###.duckdns.org" matches cert's "*.###.duckdns.org"
* OpenSSL verify result: 14
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
* closing connection #0
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Also not working on android.

Windows seems to work fine

* Host ###.servraid.duckdns.org:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.##
*   Trying 192.168.##:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Established connection to ###.servraid.duckdns.org (192.168.## port 443) from 192.168.## port 59587
* using HTTP/1.x
> GET / HTTP/1.1
> Host: ###.servraid.duckdns.org
> User-Agent: curl/8.19.0
> Accept: */*
>
* Request completely sent off
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 10 Jul 2026 19:57:15 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 1652
< Connection: keep-alive
< Vary: Accept-Encoding
< ETag: W/"674-FUGyj7IZIobM0dUGXEtQFXs4qXM"
< X-Robots-Tag: noindex, nofollow
< Strict-Transport-Security: max-age=63072000;includeSubDomains; preload
< Cache-Control: no-transform
< Content-Security-Policy: upgrade-insecure-requests; frame-ancestors 'self'
< Permissions-Policy: interest-cohort=()
< Referrer-Policy: same-origin
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Permitted-Cross-Domain-Policies: none
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="mobile-web-app-capable" content="yes">
<!--
  Copyright OpenJS Foundation and other contributors, https://openjsf.org/

  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<title>Node-RED</title>
<link rel="icon" type="image/png" href="favicon.ico">
<link rel="mask-icon" href="red/images/node-red-icon-black.svg" color="#8f0000">
<link rel="stylesheet" href="vendor/jquery/css/base/jquery-ui.min.css?v=641265155d48">
<link rel="stylesheet" href="vendor/font-awesome/css/font-awesome.min.css?v=641265155d48">
<link rel="stylesheet" href="red/style.min.css?v=641265155d48">
</head>
<body spellcheck="false">
<div id="red-ui-editor"></div>
<script src="vendor/vendor.js?v=641265155d48"></script>
<script id="ace-bootstrap" src="vendor/ace/ace-bootstrap.js?v=641265155d48"></script>
<script src="red/red.min.js?v=641265155d48"></script>
<script src="red/main.min.js?v=641265155d48"></script>
</body>
</html>
* Connection #0 to host ###.servraid.duckdns.org:443 left intact

Problem appeared about 2 months ago on certificate renewal.

Well, you hid your fully qualified domain name so I can't verify this is the specific problem but it is almost certainly related to this pfSense issue.

I'll note that you are using an RSA cert so should have 3 certs in your "fullchain". The post above was using an ECDSA cert so should have 4 in "fullchain".