iOS/macOS Calendar (Nextcloud) "Cannot Connect Using SSL"

Previously I was having no trouble generating certs using Certbot for Nextcloud, and then for iOS and macOS calendars. However, it now seems that the certs are no longer accepted, since I get "Cannot Connect Using SSL".

Apparently the certificate requirements have changed, however I already inspected the details of the cert and everything seems to be fine.

openssl reports verify error:num=10:certificate has expired, but the browser (for example) doesn't complain about the certs...

Can anyone help? Thanks in advance

My domain is: nextcloud.jcrooke.net

I ran this command: openssl s_client -showcerts -connect nexcloud.jcrooke.net:443 2>&1

It produced this output:

depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
CONNECTED(00000005)
---
Certificate chain
 0 s:/CN=jcrooke.net
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISA2wMGPwfeGxbASP/3aZBCCAZMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MTQyMjUyMTRaFw0yMTEyMTMyMjUyMTNaMBYxFDASBgNVBAMT
C2pjcm9va2UubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoq07
QICZ0dpcv8ZudTC4GAVUw0A37Mzaz/13ySnfVrPsm/nN5+3/05uSqomGdikVAaI3
0KJg0Yo9kcUDMyulia9KOONSvqHdAdGrYv8M/qDtGiWsS9v8ybNgIRDAC3dbyEBZ
vDYw0yWzlJks5ZpDzg3GrGIiFZL4QP0sgOV4Ag4b+uRSsAnSFHX4uAF5G929xy6X
FNM8CeEfj5IeRX5I6d31BtWAmU6cBXfU4Z5CuylUkfQvBATcxeUIeQ6r5tzgKME5
17pUeA1T7gd0EDxpNxX4smMnQZRZT3fJW/AdV0OYOAP/sZSLWRifiZ9q2VjO+aiV
MYuR1u3YRNsGLuMjAQIDAQABo4ICVDCCAlAwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBSq1htY2NUZipbzwGHSNlmjXBzzSzAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAl
BgNVHREEHjAcgg0qLmpjcm9va2UubmV0ggtqY3Jvb2tlLm5ldDBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AH0+
8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABe+a5s3YAAAQDAEcwRQIg
Bx1lGVJrPrFEJCoK051WnAWKc+XMZDrS23Jj8xWvP7oCIQCqROvhawBrCpFoqHPp
dl6QhoDXUwYs5WONClBarBJNgQB1AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/T
M5a1toGoAAABe+a5tUIAAAQDAEYwRAIgAqJya0dRUpcuufcfyqWEntPYen3DeUPG
KKyeUvOH1NkCIFfsF61sZQMwJBoFVN+VXJqlU2zdgtsbPUZRDmm5zMpGMA0GCSqG
SIb3DQEBCwUAA4IBAQChShaa0fMxE2Bnv250jhHqe9e4P7ooD4V+SmPiS5gaE/Jl
d68f+84X3wR6HeqcZ+Zw9lzAMbXO7RDrUZtUG1/rf6CXpUcAm9GLPyml4ejKCQDn
I/0fcYkOI6rErdqyE6U6vRy/jx6n+YGekSHmuCge5lsseUo/Lp1jBaWKjWeU5Nlh
yaMyg/0ps4vDR00pSYjEN1ZMt/FWekWRyMQIISXlY2IB2X3rM7eK6nX2rsIM0/Cl
rTeCZBroZK1xOWuh/ST5paD+Qc4+eYtjfrMOdJVlFWcPhx7rPqKJYnh3B5+BmfPN
9mwhj+ELbv45747roVfQKx4dO9k4lRj/vis48eDP
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=jcrooke.net
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4663 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 4A1ADBD8FFE8DE7EBB9EF863479A515FB1359E4285477D63D4B12167E06FA47C
    Session-ID-ctx: 
    Master-Key: 6451E7E0DEBBABD871390C913260B0F748A2A70DC0DE417DE0225F8C55E8CED9A9C9E40BF576BABE3DEB452D06360D0D
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c9 89 ab 28 76 ea 9a 40-bd 8c 8d 62 c4 88 33 e6   ...(v..@...b..3.
    0010 - b8 d1 f5 ec 81 a9 28 4e-b1 48 53 9d a5 51 26 54   ......(N.HS..Q&T
    0020 - cf 39 86 de 87 61 97 a0-45 35 a1 fc e0 5f 0f 81   .9...a..E5..._..
    0030 - 23 c6 02 3e 71 dc bb 7e-c8 61 bc 78 53 66 73 19   #..>q..~.a.xSfs.
    0040 - c0 04 c3 73 c9 22 80 98-fe 8d 87 8e 62 12 e5 d8   ...s."......b...
    0050 - d0 c5 2b a0 0b b4 77 28-ef 08 03 25 3b 10 da 48   ..+...w(...%;..H
    0060 - 35 f0 f4 3a ee 99 d8 7c-bc 9a 7d 70 f9 ee 39 5c   5..:...|..}p..9\
    0070 - db b8 b8 0b 41 67 d7 04-44 05 d4 8a d9 18 4c d2   ....Ag..D.....L.
    0080 - f5 da d3 28 e3 db 0a 8b-6b 46 86 27 c1 69 04 0c   ...(....kF.'.i..
    0090 - 55 44 61 4c ca c4 a1 1b-7a bb 39 fb 93 fc d4 97   UDaL....z.9.....
    00a0 - 9c 2f 26 b3 60 14 a1 eb-7f e1 33 4b 97 a2 d5 d0   ./&.`.....3K....
    00b0 - c4 2c aa 97 6f 0a 1f 63-56 c1 f7 be 6b 82 ac 33   .,..o..cV...k..3

    Start Time: 1635671645
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

My web server is (include version):

Server version: Apache/2.4.38 (Debian)
Server built:   2021-06-10T10:13:06

The operating system my web server runs on is (include version):

Host:

NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

Apache container:

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

What is the version of the openssl where you executed the s_client command?

Hi @bruncsak, thanks for responding.

$ openssl version: LibreSSL 2.8.3 (macOS Big Sur)

I also played around a bit (updated my certbot), so here's an updated OpenSSL output:

depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
CONNECTED(00000005)
---
Certificate chain
 0 s:/CN=jcrooke.net
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgISBCyiMmuT+p+PgaCSPzouAqrEMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMzEwODQwNTZaFw0yMjAxMjkwODQwNTVaMBYxFDASBgNVBAMT
C2pjcm9va2UubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHyu
X/t6jiaFkXphZTfn3gEzAe2xxYL+KSV9fCT4WV4ukYBb769VEHtkVWTHKmCPaz2O
x8wbn+lGzpY0zB0XMCJREeZ7iyKalvMte65D8VDJU3P7mnPtCHQymmeuDthIDS9I
zrKMrZnbnEo0hpMuuNlkq1+VtV0jGtiQ1hEg4Z+vk9stgTKts2XwFT707dZmhTaO
YDBkHMb9CCiJRkfEhEckwWXjCATKM4AlXy6hGIY2dvgF+9k6o8xQBHU+mGiKThbs
1TqS3Q+3aM6/JpwaWbi03is0e+8chW0ehFxm+tWcG1EOVk3IKdGEk6gseEUX8NFk
10Rx7jk2Lju1xBxg0QIDAQABo4ICUzCCAk8wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBSTe9kKV94rym7O/S7/VubpxoWl9jAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAl
BgNVHREEHjAcgg0qLmpjcm9va2UubmV0ggtqY3Jvb2tlLm5ldDBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AN+l
Xqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABfNW5MgAAAAQDAEYwRAIg
Aes1VZGJvdl3VzzYNg+d5nvnodZJmf4sFcSpg2oQMOUCICxXSt6ZNnQvgK19BlgR
FsYyhyCNPSDJgisXgVwu3WNCAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0m
XCVdx4QAAAF81bkx+AAABAMARjBEAiB35rP61N9Ow0aBKfyN3sNqQzuzmiat8B2O
pjRFi8JSjQIgFdzr7bvVtt4LNFc/eyjWHOUeeT7SwEvtDhj2+qxjAYYwDQYJKoZI
hvcNAQELBQADggEBADH0EiJzentk4b8MrW7eLtJki3XupjUg+xZmCqnTYX4zXKQS
vONOiX3/MHm4cNFUBuy0qAG/tFBwVbmsHHErKJbhmFo+KKsLE2HqRuO3FKBaknME
3KUHjb8+KQX99pw4VvmL67vG7CfPqG9yz8/gH4ab+TGw7pFlHFqpvdtaDaSvhEVt
3HgtefV2fXSszUOt3x4mcdA9b+LThn2Ne5y2azJ0YAfH5vgDB5FSrjxmAThoJFz4
gycM8MPpyy11ds1DN0CfUJWPddWEPF5Tnp7L43e1XKg4ZL4xtESEjfKCJf3wDYfT
RT3R95PlgtW35Qmub2tEGyzoj0EYK6yStlbpZYc=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=jcrooke.net
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4662 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: B8199DF93BA321324732BD98BE2BFA83AB482E0A3495E3814763BE9C3AB8FC44
    Session-ID-ctx: 
    Master-Key: 40F9D1E9DAC4444B11ED32255AC9E8DB96D0A7FAD1C302D140DB042D99511AEC50DB79CF576E5CF31B833FC8A814BB92
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f5 16 80 fa 76 8c 3d 59-7e 28 0e 8f 84 95 57 5c   ....v.=Y~(....W\
    0010 - 22 40 26 7e d5 31 c5 c0-38 4e 4f 00 86 e2 f7 4d   "@&~.1..8NO....M
    0020 - 04 1a f0 fb 75 a8 3c de-02 29 b5 b9 cc c2 62 85   ....u.<..)....b.
    0030 - ab 99 42 9a d8 e3 c9 eb-5b a5 95 4d ad f9 ec 02   ..B.....[..M....
    0040 - 2b 9c c3 8c 3d 99 89 48-43 3a 34 2e 4c c6 1f 39   +...=..HC:4.L..9
    0050 - 0e b3 a1 3a 0e cc fa 20-6c a3 42 0e ab 7e 35 fd   ...:... l.B..~5.
    0060 - 4e ff ca e0 0e 36 4a 1e-01 b3 00 d0 e5 10 9e 9f   N....6J.........
    0070 - 5a c7 05 22 53 92 61 c9-60 90 cc c7 1b df c7 28   Z.."S.a.`......(
    0080 - 33 06 c7 d5 87 3f 6b 2a-4d e5 da e4 de 98 6b ee   3....?k*M.....k.
    0090 - 4b 44 44 06 87 20 1f e2-d2 87 1c 95 a4 5b 63 fc   KDD.. .......[c.
    00a0 - 2c a3 c6 0d aa 8f ac 2c-cf ae d1 a9 5d 4d 30 c9   ,......,....]M0.
    00b0 - 3e 22 e8 11 2b 13 db 2a-76 dc 2e fa 91 90 39 d7   >"..+..*v.....9.

    Start Time: 1635678164
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

@itsthejb That version of openssl does not handle the current default chain from Lets Encrypt. The chain you send is fine and is the same as used by this website. It is only your openssl that is a problem.

Version 3.3.5 seems to fix it but I do not know anything about installing it on your system
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt

See more info from openssl (not your version but good explanation)

And explanation of the current chain options

Ok, great - so I ran the command again from my actual (CentOS) server, and I assume this is a better output:

» openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = jcrooke.net
verify return:1
---
Certificate chain
 0 s:CN = jcrooke.net
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgISBCyiMmuT+p+PgaCSPzouAqrEMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMzEwODQwNTZaFw0yMjAxMjkwODQwNTVaMBYxFDASBgNVBAMT
C2pjcm9va2UubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHyu
X/t6jiaFkXphZTfn3gEzAe2xxYL+KSV9fCT4WV4ukYBb769VEHtkVWTHKmCPaz2O
x8wbn+lGzpY0zB0XMCJREeZ7iyKalvMte65D8VDJU3P7mnPtCHQymmeuDthIDS9I
zrKMrZnbnEo0hpMuuNlkq1+VtV0jGtiQ1hEg4Z+vk9stgTKts2XwFT707dZmhTaO
YDBkHMb9CCiJRkfEhEckwWXjCATKM4AlXy6hGIY2dvgF+9k6o8xQBHU+mGiKThbs
1TqS3Q+3aM6/JpwaWbi03is0e+8chW0ehFxm+tWcG1EOVk3IKdGEk6gseEUX8NFk
10Rx7jk2Lju1xBxg0QIDAQABo4ICUzCCAk8wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBSTe9kKV94rym7O/S7/VubpxoWl9jAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAl
BgNVHREEHjAcgg0qLmpjcm9va2UubmV0ggtqY3Jvb2tlLm5ldDBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AN+l
Xqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABfNW5MgAAAAQDAEYwRAIg
Aes1VZGJvdl3VzzYNg+d5nvnodZJmf4sFcSpg2oQMOUCICxXSt6ZNnQvgK19BlgR
FsYyhyCNPSDJgisXgVwu3WNCAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0m
XCVdx4QAAAF81bkx+AAABAMARjBEAiB35rP61N9Ow0aBKfyN3sNqQzuzmiat8B2O
pjRFi8JSjQIgFdzr7bvVtt4LNFc/eyjWHOUeeT7SwEvtDhj2+qxjAYYwDQYJKoZI
hvcNAQELBQADggEBADH0EiJzentk4b8MrW7eLtJki3XupjUg+xZmCqnTYX4zXKQS
vONOiX3/MHm4cNFUBuy0qAG/tFBwVbmsHHErKJbhmFo+KKsLE2HqRuO3FKBaknME
3KUHjb8+KQX99pw4VvmL67vG7CfPqG9yz8/gH4ab+TGw7pFlHFqpvdtaDaSvhEVt
3HgtefV2fXSszUOt3x4mcdA9b+LThn2Ne5y2azJ0YAfH5vgDB5FSrjxmAThoJFz4
gycM8MPpyy11ds1DN0CfUJWPddWEPF5Tnp7L43e1XKg4ZL4xtESEjfKCJf3wDYfT
RT3R95PlgtW35Qmub2tEGyzoj0EYK6yStlbpZYc=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = jcrooke.net

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4577 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0A6F78AAB3E996A1193780F7C854B2A15F6EB2A74EA00BA04FDD16B62B4DB815
    Session-ID-ctx:
    Resumption PSK: 503347CC828BFC467082E9E6E9749A824CC8320BBE458FD73A0490D2C0CBC601AD2DEB09BA5E96BD9B42F1DCD42F3F7C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f5 16 80 fa 76 8c 3d 59-7e 28 0e 8f 84 95 57 5c   ....v.=Y~(....W\
    0010 - 29 c5 66 0b 6b 93 1f 7f-9c e5 42 23 68 48 3a b9   ).f.k.....B#hH:.
    0020 - f8 ac b2 85 ea cc a6 ae-82 96 2e 3a 0b 26 13 75   ...........:.&.u
    0030 - 06 a0 78 54 8e 76 00 17-c1 f1 ab 26 c1 46 87 3f   ..xT.v.....&.F.?
    0040 - 1f 60 59 14 57 55 e0 06-a9 a1 85 e6 84 da 2e d8   .`Y.WU..........
    0050 - a7 bd c7 48 6b 48 fe 1d-bd be 4e 58 99 ec 9a 6a   ...HkH....NX...j
    0060 - a6 0f 63 7a 36 79 67 c4-a9 7c f7 bb 24 6e f3 62   ..cz6yg..|..$n.b
    0070 - 56 7a a5 c9 bd f5 d4 98-4e e9 9f 73 78 97 d3 af   Vz......N..sx...
    0080 - 2e c5 02 9c 87 ba 57 e5-91 df fc 6e a6 fd 7e 3d   ......W....n..~=
    0090 - b4 f3 a4 f2 a6 f3 e9 51-d2 fd 34 00 63 82 04 49   .......Q..4.c..I
    00a0 - c3 29 92 a4 f7 3f 28 72-ea 04 ea 0a 32 cf c1 5a   .)...?(r....2..Z
    00b0 - 27 62 44 27 b3 53 39 f2-91 fb 63 0b 9c e1 da ad   'bD'.S9...c.....
    00c0 - 01 2c 7f 52 9e 97 fb b6-21 88 74 72 b9 6d 8b fe   .,.R....!.tr.m..
    00d0 - 83 fa 80 b5 89 f6 61 8e-8a 0d 2f 1a fe 4e b7 9d   ......a.../..N..

    Start Time: 1635682849
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D77303232A9DDC20F6640AFF4088B5230791870555CE8BAD45AC4451B4758976
    Session-ID-ctx:
    Resumption PSK: 8588C5904D264189740DD6F86C38270935637FB321D00D86C62F220250E4296D8EA9DB7870900E1C39BC86B3E6DC5078
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f5 16 80 fa 76 8c 3d 59-7e 28 0e 8f 84 95 57 5c   ....v.=Y~(....W\
    0010 - d9 ea a7 13 bb 06 6a f7-64 76 08 70 b5 c0 ac 78   ......j.dv.p...x
    0020 - 2f 21 1b 18 7d 00 20 42-cb 8a 4e 9e bb 5a 07 2f   /!..}. B..N..Z./
    0030 - 30 f6 23 44 75 ad e3 d8-c5 fa f9 75 38 d2 70 58   0.#Du......u8.pX
    0040 - fb 07 b4 40 42 a7 f3 36-a3 0e 82 a3 89 9e 36 32   ...@B..6......62
    0050 - 2e 42 6c 82 e5 f6 4e 32-02 89 ea 70 79 fb 50 2c   .Bl...N2...py.P,
    0060 - 59 34 8f ec 47 d4 a9 b0-6e 6a 37 fb 7b 78 43 71   Y4..G...nj7.{xCq
    0070 - e2 68 d4 3b ca a5 25 b6-da 83 c1 5f ed 48 e9 3f   .h.;..%...._.H.?
    0080 - a9 a5 8b ad 5f 36 10 13-8f db 2a 7b fd 7b d2 4f   ...._6....*{.{.O
    0090 - d2 20 c7 b6 9a 09 09 97-5c 00 a4 08 c4 48 ad 4d   . ......\....H.M
    00a0 - 44 b7 d5 e3 92 30 61 47-8c 61 df 72 f5 8c 33 bb   D....0aG.a.r..3.
    00b0 - 8b 92 af 3d 27 76 5f cf-65 fa 29 f8 34 1b 3e 3c   ...='v_.e.).4.><
    00c0 - a2 8c fd 32 ff 34 a4 87-b0 8d 1c 9c 84 9e 79 5d   ...2.4........y]
    00d0 - 1a 4e 41 d2 22 af 20 ca-e6 8a 0b 97 f8 49 8c 3c   .NA.". ......I.<

    Start Time: 1635682849
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Is it possible now to discern what might be wrong that's causing iOS/macOS to request the cert? This page details the requirements: Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support

It does not "request" a "wrong" cert - it gets the same one you see on Centos. That openssl version is just interpreting the chain poorly. The reason why is explained in the openssl link I provided. If you could update it to 3.3.5 it would verify just fine like the Centos openssl 1.1.1 did for you. Or, if your LibreSSL version offers a "trusted_first" option that would work too. You could look that up.

The Apple description of certs is not related to this issue.

Hi @MikeMcQ

Thanks for your input. I think there’s some confusion about what the actual issue is here:

• (if my theory is correct), the underlying problem is that recent updates to iOS and macOS result in the letsencrypt cert of my server being rejected (Cannot Connect Using SSL). This means CalDAV no longer works
• regarding OpenSSL here, I’m just trying to provide some information regarding the certs to help debug the issue. I can’t comment more on what requirements are failing for CalDAV internally. There’s the above link specifying the requirements, but I don’t see what’s missing
• the host is publicly available so also can be queried remotely if that helps
• I can provide any other info. I thought the OpenSSL output might be enough

Please let me know if that’s not clear. Thanks

Ah, yes, I was thinking the openssl error messages were what you were concerned about.

I am not familiar with CalDAV or its requirements so you will need to wait for someone else. But, the change is not likely due to the recent iOS / macOS updates but instead the expiration of the Lets Encrypt DST Root CA X3.

Your server sends the "long chain" but perhaps the "short chain" would be better in your case. I see Rudy is replying now so let's see what he has to say.

If you want a very simple test (and likely resolve to this situation), try changing CAs.
To any other (FREE and ACME friendly) CA; which implies using a completely different trust chain.
If that "fixes" the problem, then that "fixes" the problem.

I do so love repetitive redundancy repeated over and over again when said more than once, so someone please repeat these words of wisdom (or point to where that have been spoken before):
The new LE longer trust chain is not well suited for some clients.
The new LE shorter trust chain is not well suited for some clients.
[sometimes you just can't please all of the people all of the time ]

Thanks again for the input.

Trying things out with another totally different cert is a good idea, but a little difficult with my setup, because I'd need a free wildcard cert to test (that is one of the reasons I'm using LE). Otherwise fiddly to change things just for testing. I don't seem to be able to find a free one, and would rather avoid the expense... Can anyone suggest anything?

Also, could anyone point me to a resource regarding the long/short LE chains? I don't appear to be able to find information about whether or not this is something I can configure

With certbot 1.20.0, you can use the --preferred-chain option (with "ISRG Root X1").
[you can easily search this site for more info on that option]

If your testing period would be less than 90 days, you can get a wildcard cert from LE using DNS authentication with certbot in manual mode.
[you can easily search this site for more info on that option]

Thanks! However, am I not already using the ISRG Root X1 (shorter?) chain? From Chain of Trust - Let's Encrypt, seems that DST Root CA X3 would be the longer/older compatibility chain? This one I believe I don't need, since all my clients are up-to-date. This makes it all the more confusing that I have problems in my case.

Otherwise I'm going to try the self-signed solution here: https://bob.gatsmas.de/caldav-sync-erinnerungen-app-ios-13-und-macos-1015, to verify if it really does work with another cert

I see the longer/default chain:

echo | openssl s_client -connect nextcloud.jcrooke.net:443 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = jcrooke.net
verify return:1
DONE
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = jcrooke.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Ok, great, thanks for checking and sorry for my ignorance. Giving it a try now...

Tried the above, didn't make a difference. I'm also trying the self-signed cert approach from https://bob.gatsmas.de/caldav-sync-erinnerungen-app-ios-13-und-macos-1015 (German article). This produces:

CONNECTED(00000003)
depth=1 C = DE, O = Privat, CN = Privat CA 1.0
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = DE, O = Privat, CN = Privat CA 1.0
verify return:1
depth=0 C = DE, O = Privat, CN = Privat Serverzertifikat v1.0
verify return:1
---
Certificate chain
 0 s:C = DE, O = Privat, CN = Privat Serverzertifikat v1.0
   i:C = DE, O = Privat, CN = Privat CA 1.0
-----BEGIN CERTIFICATE-----
MIIFqzCCA5OgAwIBAgIUWIzc9fAMPb0/+vGlkJGi2nPAv8gwDQYJKoZIhvcNAQEL
BQAwNjELMAkGA1UEBhMCREUxDzANBgNVBAoMBlByaXZhdDEWMBQGA1UEAwwNUHJp
dmF0IENBIDEuMDAeFw0yMTExMDIxMzU3MTNaFw0yNDAyMDUxMzU3MTNaMEUxCzAJ
BgNVBAYTAkRFMQ8wDQYDVQQKDAZQcml2YXQxJTAjBgNVBAMMHFByaXZhdCBTZXJ2
ZXJ6ZXJ0aWZpa2F0IHYxLjAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQC8FlUmmBGfETHaV6KVM80zARvnI+DwqWcx7rbu48IkfNmRJWKXRDXd89UkYaMZ
4ciAYon09sv3YWITBLwSNuT1pjdo8OMQ5T6RGFlayXw3tA2olHy4GLhcUJZat9NE
GbtCsFeSC9FLIb/3n5YalmmQZG2zdbbun/lqBvBODsx/iFoMxlkbdi1ALEKR1AEb
12jOn+2fW86zS7o8zcOeTKIGPYHX11GaPz6vkLvFqPYknnIuEqdujV1dWAEpiV0T
dvGrgzg+KpxTeNSzTcBuQqtMF9+SRogE1PqKTmJWT8ayz2eiun8wfCSGRAZwC+Pz
6am+0O/boRIK3EVGVyqf+tQBjSm85o/oArI1HeGZHW+Yk3sn83oNYaQAYpS9zzSv
f23eMcXO22Txm1L/T7FlSBBrr2jeLcIWe0izE3ejSZpE7Eh2pcqTgGkbTfcLHUAi
zlMjDZmDMPn+7w/f/W8HATVj9AnPf7Vzt7VQDElhWUWFssMS2+EU6ck5wHYQPOB0
omYDYV70fH0gM6D7DlpOH/JCKARLmsdEp9PjqVcTxkYlamsFUORfq1UnEA7zKnLc
HYQAvBsRwV4GRvUO/h+JCTJzwazxhnEd9ML3iqoGWFEd2fYJ9VnCE4mh6HK9p4/x
lLl8x6AtkIGPkuxz/IXUtXJwTVWlje/X+uta+pgp6Tq8oQIDAQABo4GhMIGeMB8G
A1UdIwQYMBaAFKZTxwXm6lrdtL8FPqNAg7QT9GM7MAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgXgMB0GA1UdDgQWBBQ4ejlq+HvS7xgFpQY4aSKkU4OdFTAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwJQYDVR0RBB4wHIILamNyb29rZS5uZXSCDSou
amNyb29rZS5uZXQwDQYJKoZIhvcNAQELBQADggIBAIdELZX1JfMbPVhbNB4TOSnP
CQbqHG0mSxIKuKCYe/YVmWr2uDJZIyuahlNe3XmwjfZQZRSGkCfuzU1fNDbGSZqb
ufqXDT5Jjde/9m58OnPpexlAXeLhsf6J7mlVmCt6Vlnb8B0bBVkXTtMNyigKrpww
8Qg7YS7ixE3AElgGSssRf1ccimgAO2mN1krmzznz/Q0Ln9AmYS3EfREUD2Okanu+
7ygJD4glh3Ccpj83CcVEJgIpy/SfkEep7H4/c9C7RwYLLw+xF/t5y2fJMnZKez7n
iwAz3ANK0vIhfUp1+oTjGVix0swF9bDRuC2gGFSNnw5nY0vVlGM9iATlIHA4wW5f
dEPu3xvlo8K+py4YYxMvAj4aTzJHJU0VUW6nnAK6uLUkrg3KQXshVttewS9h1gLL
3SIsQMaJii3Mt/T6ZWwwD8N8ysFYOdgmP0TxydtI/ImQmGY0hopIctCjhRheStp5
K/3AWVAhsUO4ylb3AsqLQBcJdbraEEH9jVn5BPlh9HEsq/6gqBBV35RgAly9dUkY
7yo97mPHslsFtGS+s+snjKMv1nndFVJjrTXwA811MCP3EVHi9kfVWJWl0wg1nNRX
D1YWAyfLBe3B9bEGsiiT9Mqt45YUIKbWuIiY/pW8+bfpfVq/7HXKtAMvUaqbSeZg
IzbAlMILq9utAAZRP7Vw
-----END CERTIFICATE-----
 1 s:C = DE, O = Privat, CN = Privat CA 1.0
   i:C = DE, O = Privat, CN = Privat CA 1.0
-----BEGIN CERTIFICATE-----
MIIFmDCCA4CgAwIBAgIUEfQmT7p03eJ79b4x2g5fAXpuujkwDQYJKoZIhvcNAQEL
BQAwNjELMAkGA1UEBhMCREUxDzANBgNVBAoMBlByaXZhdDEWMBQGA1UEAwwNUHJp
dmF0IENBIDEuMDAeFw0yMTExMDIxMzU2NTFaFw00MTEwMjgxMzU2NTFaMDYxCzAJ
BgNVBAYTAkRFMQ8wDQYDVQQKDAZQcml2YXQxFjAUBgNVBAMMDVByaXZhdCBDQSAx
LjAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH1uV4OzLFDD87JHP5
uNsaJSVcrUnwu9eRJ3yCnDhKodBplw91dFJ1qGcLUfGD5+UdEbcLWWazXzlgtvTj
nvHuGKBBEk6qlIoLIK0LjerEIClSCRrPNFI0FSaZzrCdERex34I+d35zZ0GYJ63+
eLo550g3b87IVtcpfYqmH9BghidkoCim+u+b3EvRSZkqFK5FRDbX2lmCAzjQT6XI
1NE5cdKNd4FDTy6um2Yw5xMhR+Vxc/64r/sdQlF/ZUs6KdFe5AxgvnkjHtGX75So
QsgE0Khc3moYTt+2wiWb2qawHduMNpukTZ3xGx+z2Mz2rCSq/iNlpImQzBG2E/ng
jtXQGqfIAVrtoZNj7eMQFVqeJoyAfRg3za+KIt3GPR8+BGn2g0lR05eHdCLNxG/9
yfugEtpYDzGFo7b4r/OlpBY2ISvzY14jLTS8FOo1qRTvEoH2+XW31O1F5xy/SQQ+
g1foen4UTx6NzzM8I/mbdfgGjbZw7q/eRjnTI36DQhHOzfYzsn5xHXXy5eUhso2j
D61lFwmJ80/XYShljcsidBsVaE1RS8xhSyyx6USNqMUjMVhCIBFC/XkfcVoydLU6
PtYiiKJ59UtqcupLK/I4bRsxUsyGP83zWUEzxYW6OYDXEWBuuMeX6eSfaiGz3eGf
CrfJePGk3y6TTY5qufh20QjOKQIDAQABo4GdMIGaMFsGA1UdIwRUMFKhOqQ4MDYx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQKDAZQcml2YXQxFjAUBgNVBAMMDVByaXZhdCBD
QSAxLjCCFBH0Jk+6dN3ie/W+MdoOXwF6bro5MA8GA1UdEwEB/wQFMAMBAf8wCwYD
VR0PBAQDAgEGMB0GA1UdDgQWBBSmU8cF5upa3bS/BT6jQIO0E/RjOzANBgkqhkiG
9w0BAQsFAAOCAgEAREhTN3ym44Vhrdo1FrWwBLFSYPWKN6725HIYp3MsFVnazCz3
8EQof+sNLWYfsEQ1+Mp5LO8eXFXBQdtRUzlkZgDcNnZK4pZZQ/l6WQHJq2VLwfm2
1NjnF8B8MNb+1Vu4y4O8sB5v6KPZL/irNeS6ZfuAZx/l50I3u8C84NJl4R46XM/R
vfrkd91aqy63H8hGz8SBiHxjLJkEqXQtEdwVT9vtLbdTwmakFTPnSoRDOfAgddPQ
l0QjBytysLIquY+cTA9q9RKPFRp2G5MIiGTrS3b1ScafuDprpvlvKuwwMpHo/KsY
ktUDMpKh9OsEiRhGagHrFJFizDn2dPJBQ1d/Fm4l4wvMZ4MKqZxGVczFH2AmXBO6
OmJbSDQ33jV3ItLsQImY8xgd7QtXL3fN4Bq2VGfdTy44ISKXLthyfBZhGJ0QuxTJ
rSiWLKKes8zRrUGJTJc8iR/cFkTKC/pPDvDBy4BcTyea5tVECHPDZurf6vaVIwTM
y12rw5zKukRo8o17vVaqCkkqiU+ch86GFRvosqXUYGT9k7pU1l2hG8SY7RJI/dvt
DebNKQ5A6J8EUYaCFva2AT14tuwykuawhS5TvHPVXE883jJK/tqOZSlY49y/SMwW
qDWCEtopnq365bEz2uA2XHQdFcU0B3Fw1g5uAjScRpzHoskEQZpB/8RYO0c=
-----END CERTIFICATE-----
---
Server certificate
subject=C = DE, O = Privat, CN = Privat Serverzertifikat v1.0

issuer=C = DE, O = Privat, CN = Privat CA 1.0

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3708 bytes and written 398 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BA44936537B07D48C4DC9C7A9FD359F810000FC06D49F1FEF2EA76FE6F89D87A
    Session-ID-ctx:
    Resumption PSK: 591176685655202FDADE6A29692E72AF7FF58BCA9337317A0DD21FDFFD0ABB5C01B1060ED36DC737798E0B5673B916A8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 9b 74 ea cd 9a eb 76 2a-3d c3 f5 83 92 ab fd 69   .t....v*=......i
    0010 - 4e ca 3a bf ec 88 98 aa-b9 3d 34 95 40 b3 dc 67   N.:......=4.@..g
    0020 - 62 54 8a 88 7c 47 f5 9e-52 81 31 94 08 c7 4c c9   bT..|G..R.1...L.
    0030 - 2a 4a e8 b9 bd 0b ba 4b-b2 d0 22 c3 af b5 64 1f   *J.....K.."...d.
    0040 - 28 74 65 e6 5f 4f 77 6c-13 5c 88 0e c5 4b 91 e0   (te._Owl.\...K..
    0050 - 78 f4 0e c4 44 34 23 cc-8e df 93 61 28 5d 09 bc   x...D4#....a(]..
    0060 - b8 d7 05 56 48 86 c0 75-fb 85 b7 42 74 ef c3 98   ...VH..u...Bt...
    0070 - fe 41 d4 94 11 36 ba 92-b9 12 a6 1d c6 36 fe a0   .A...6.......6..
    0080 - ee 1a c4 ff 34 2c a2 86-17 00 9c 49 5a 91 57 75   ....4,.....IZ.Wu
    0090 - 04 03 84 7f 9b b1 7b 5e-d4 ed a1 b0 e7 70 ef 75   ......{^.....p.u
    00a0 - 8e 2d a7 d1 01 70 d8 ff-98 39 02 39 09 dc 63 41   .-...p...9.9..cA
    00b0 - 9f 1a 4d 96 ce 40 59 5b-9e e6 1c f8 d6 2e b7 cf   ..M..@Y[........
    00c0 - ee af aa f2 c8 69 98 49-62 7d 06 67 53 e8 13 1f   .....i.Ib}.gS...
    00d0 - d6 ac 22 a9 7d 5e 81 3c-56 ea a7 e1 27 f9 91 57   ..".}^.<V...'..W

    Start Time: 1635862925
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 99C86DE08A11ED47FA0943406DC9B17AC236238D2B13123CFC9BD402D85769FA
    Session-ID-ctx:
    Resumption PSK: BE2BBA0223B2C68F1A9BC42F2E92C9291E632071ABC15B58B8A78D2590B1EC4D8BB6C0DE2EC7FFBA25FED3175DAA2ED0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 9b 74 ea cd 9a eb 76 2a-3d c3 f5 83 92 ab fd 69   .t....v*=......i
    0010 - 26 6e 5e 90 0a 85 4e f8-9f 29 e1 3a 62 3c c8 e6   &n^...N..).:b<..
    0020 - eb 27 fa f2 f1 b2 76 5d-9d db 5b d8 5a 34 73 77   .'....v]..[.Z4sw
    0030 - d6 27 cc 01 4e a4 45 21-ec d9 96 7a 50 51 6f 5c   .'..N.E!...zPQo\
    0040 - 9e 43 e5 3a 45 bf f3 4c-33 36 ea ea 1a c5 00 f1   .C.:E..L36......
    0050 - 71 06 48 08 3c 2a 97 b4-18 ee b8 8a 77 78 91 b3   q.H.<*......wx..
    0060 - c9 93 59 ae 30 df bf 79-5d 7a 90 01 eb 90 f6 bf   ..Y.0..y]z......
    0070 - d3 89 7d 7c a8 d8 f3 75-44 15 53 e4 49 cc 05 4b   ..}|...uD.S.I..K
    0080 - da 9b ac 63 68 78 48 dd-2a e6 91 8f 44 65 5b 16   ...chxH.*...De[.
    0090 - b5 89 00 0f bc c9 61 9d-74 45 79 a6 c3 8a a6 8b   ......a.tEy.....
    00a0 - 37 82 0b b8 5e e8 d7 4a-f5 b9 e7 10 cc ca a1 30   7...^..J.......0
    00b0 - 1b 5d d9 ef cb 72 2b e5-94 d8 87 ee ed 3b 02 e6   .]...r+......;..
    00c0 - 87 4f 00 9f 4d 9f ce 8a-a0 68 13 4d 18 34 73 db   .O..M....h.M.4s.
    00d0 - 4e 40 64 b3 89 d5 82 9a-9f c4 48 80 49 dd 32 58   N@d.......H.I.2X

    Start Time: 1635862925
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

The idea is to create this cert and manually trust for testing. However, the problem remains! This is now leading me to suspect that the problem may be something different...

That response is expected.
You must first add that self-signed root into your trusted root system for it to be trusted.
If all self-signed certs were automatically trusted, there would be no PKI system nor any security.

Problem solved! The issue was indeed not at all the certificate, but down to the .htaccess redirects for CalDAV, which lost the https. See Reminders.app does not display NC tasks - #32 by itsthejb - 📆 Calendar - Nextcloud community

Closing this. Thanks to everyone that helped, sorry I was off the mark!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.