When enabling HTTPS in the config, the certificate (chain) works fine with macOS Browsers (Firefox, Safari) and the Companion macOS app. But the iOS app complains that the certificate is invalid (NSURLErrorDomain -1202).
I guess this happens because I am using my own root CA.
I have provided the proper fullchain.pem, containing the certs for the server, the server CA and the root CA.
On iOS I also have provided all those certs in a profile using Apple Configurator and I have fully trusted the root CA certificate on iOS.
The server cert contains SANs for the DNS name used in the iOS and mac app for connecting internally.
(note: when connecting through an NGINX proxy this works fine as the NGINX proxy is using a Lets Encrypt certificate, no own root CA)
I already checked with TLS inspector: the trust chain order of the certificates is: server, server CA, root CA.
testssl.sh complains that the root CA cert is self-signed, which is fine if you have your own root CA. All the other stuff looks good.
If someone got HA Companion on iOS to play nice with his own root CA, let me know what you did and where were the pitfalls to avoid.