Oh, you gotta love that stuff. You know if you add the certificate to the CA on the system it's running on, and sign the certificate with itself, it gets around that stuff?

Another solution is to use a LetsEncrypt web server SSL cert, generate for the ACME validation and then use it on the socket, then it is signed by a commonly available CA.