Maybe it's as simple as the MySQLd directive ssl_cert not accepting the full chain file? But just cert.pem? The documentation for ssl_cert does not describe the feature of chains, but only speaks about "certificate" in singular.
That said, the documentation of the ssl_ca directive strongly hints at its usage for client authentication, which is not helpful with regard to chains.
Maybe you get better help at a MySQLd specific forum?
Is a TLS (SSL) connection even required? This looks to be all local connections can't you just use a unix socket connection?
I was thinking about that too earlier, but I saw some different IP addresses 192.168.0.55 (server) and 192.168.0.50 (user).. But now that I'm thinking about that: maybe the user (.50) from that screenshot was just for testing purposes and could everything be done locally indeed?
Yes, its required. Im using a local user just for simplicity. After all its easier to type in 192.168.0.55 than myLongDomainThatHasALotOfSpecialChars.com every time
Well, MySQLd doesnt accept cert.pem either ¯_(ツ)_/¯
Did you manage to get an RSA type cert?
Using https://crt.sh you can find a list of issued certificates for a domain name, such as
crt.sh | example.com ; since you know the domain name (and I believe we do not) you can check what certificates (if any) have been issued. And you check the induvial certificates by clicking on them and see details such as crt.sh | 8913351873 and here is execpt of the data shown
Subject:
commonName = www.example.org
organizationName = Internet Corporation for Assigned Names and Numbers
localityName = Los Angeles
stateOrProvinceName = California
countryName = US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:80:77:89:59:b8:45:6f:ba:4a:d9:11:fa:7b:
ad:c7:57:d0:7a:fb:b6:fa:dd:05:bb:a2:81:71:bb:
e1:7f:21:d2:5f:2e:f0:d2:72:4e:75:34:f8:8d:62:
e3:4a:da:51:90:d4:01:3d:9c:0c:c0:71:f7:e6:2f:
b6:d6:07:67:26:d0:de:ff:17:ce:f0:85:fd:31:c1:
66:ca:87:65:05:47:2a:5f:c0:ab:b8:8c:c3:bf:d0:
17:7f:63:a3:5c:f0:46:fb:86:aa:fb:4d:d7:2a:5e:
7f:9a:e0:13:97:7d:be:fb:7d:35:57:0d:5d:5e:81:
98:35:ea:16:42:a2:d3:b0:74:f7:59:2d:ed:38:e7:
fe:7a:1b:b3:36:e6:7e:ae:3f:9e:a6:16:83:de:53:
01:4e:81:00:ae:bb:42:f5:1f:75:29:34:cd:e9:84:
80:38:ae:3c:37:14:c0:f0:27:ce:30:52:b9:8a:dc:
5f:22:a0:79:f8:4f:4e:49:04:e2:75:7c:aa:2f:2a:
1e:03:ec:71:4c:a3:2a:61:fc:6f:ca:91:1e:93:5a:
2e:78:08:58:f6:ee:bb:34:20:5d:9a:e6:af:c6:d7:
f2:bf:0a:7b:fa:8e:92:77:e3:6c:7b:0c:40:86:64:
4a:15:ec:70:d7:72:8e:63:30:e1:0b:ef:5a:30:97:
2e:25
Exponent: 65537 (0x10001)
In this case a RSA Public-Key: (2048 bit).
"certbot certificates" will also tell you which type each certificate is.
And much likely easier too! 
I think they did
I read that as if they had tried to get an ECDSA cert [already].
If @xTracer would post the certificate or certificate chain (NOT the Private Key) we could check.
it says key type RSA or am i missing something
I guess I'm the one that is missing something.
[I got turned around - they tried both types without any luck]
Those docs have this note
Note
Chained SSL certificate support was added in v8.0.30; previously only the first certificate was read
I still think this is good idea
Where does this requirement come from? Certain application refuses to connect? Or from the scary red note “SSL is not being used” in phpmyadmin? I'm trying to see if we have a sort of an XY problem on hand.
I also concur that this issue is really outside of the scope of this forum.
Certain application refuses to connect? Or from the scary red note “SSL is not being used” in phpmyadmin?
Kinda both. I dont want to use non encrypted connection for obvious reasons. Nginx can only secure http connection but not mysql one.
MySQL "requires" a CA certificate which Certbot dont generate and LE's root cas dont work with mysql. Hence why Im asking here
If the connection between your mysql server and the app is always within your LAN or VM/Host bridge — encryption doesn't really add much to security.
If you insist to make the connection encrypted I would personally suggest setting up some sort of VPN, like WireGuard.
This is the wrong place to seek MySQL support. This forum exists to support Let's Encrypt certificate issuance. You have already accomplished that. Issues employing a certificate with a particular application will need to be directed to an appropriate support venue for the application.
While I have TLS in use with MySQL, I use a private CA, so any particulars from my setup would be of limited use in addition to being out of scope.
I found a relevant article on the Percona website. They are indisputable MySQL experts. You may want to see if you their guide can get you though your challenges.