V3: SSLV3_ALERT_CERTIFICATE_UNKNOWN with letsencrypt certificate

[bstabens]

This is my config:

[server]
hosts=0.0.0.0:5232
max_connections = 20
# 100 Megabyte
max_content_length = 100000000
# 30 seconds
timeout = 30

ssl = True
certificate = /etc/letsencrypt/live/mydomain/fullchain.pem
key = /etc/letsencrypt/live/mydomain/privkey.pem
#certificate_authority = /etc/ssl/certs/ca-certificates.crt

#[encoding]
#request = utf-8
#stock = utf-8

[storage]
filesystem_folder=/mnt/radicale/collections
max_sync_token_age = 2592000

[auth]
type = htpasswd
htpasswd_filename = /etc/radicale/users
# encryption method used in the htpasswd file
htpasswd_encryption = md5

[logging]
level = info
mask_passwords = True
#config = /etc/radicale/logging

[headers]
Access-Control-Allow-Origin = *

System is a Raspberry Pi v3 with buster.

I have no problems connection with a webbrowser on my desktop and manually accepting the certificate, but trying to connect with a DavX account and calendar app on Android will fail with this message. Trying to access with a firefox on Android also will give me this.

python3[26081]: [2023-06-14 12:35:02 +0200] [26081/Thread-26] [ERROR] An exception occurred during request: SSL handshake failed: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN
 python3[26081]: [2023-06-14 12:36:25 +0200] [26081/Thread-27] [INFO] Client timed out

Any helpful advice?

[pbiering]

SSLV3_ALERT_CERTIFICATE_UNKNOWN is caused by TLS client is not trusting TLS server. Either trust stores of browser and calendar app are different or not the same certificate is in use or the fullchain.pem is incorrect (e.g. order).

Try to verify using openssl s_client... and potentially also simulating the server with openssl s_server...

[bstabens]

Thanks. I just used lighttpd as Reverse Proxy. Worked without changing any SSL certs.