Nginx reverse proxy => tomcat problem

If it uses Java default trust store, this is expected:

If you control client-side, load IdenTrust root on demand.