Hi Aki and all,
Thanks for the feedback.
I have removed the home-made root CA and the home-made server cert
signed by the root CA, replaced it with valid Let's Encrypt cert and
all works well.
Whilst the home-made certs have always worked well (years) with
Thunderbird clients and iOS 12.x, the new iOS 13.0 is now very picky
about the cert parameters. The Let's Encrypt cert is a good
solution, although I may eventually explore learning how to properly
use OpenSSL to generate home-made root CA and server certificates.
Can anyone point me to a good resource that has all the information
for generating these certs?