The weirdest thing, but it turned out to be a user (me) error and is now solved. But still weird.

Since around the end of March, three weeks ago, my @Tuta android app on my Samsung phone failed to connect to the servers, while the same app on my Samsung tablet worked fine. Wiped its data, reinstalled, installed old version, switched to the play store, nothing helped. Logs show there's a certificate failure connecting to app.tuta.com over https. Chrome connects fine.

But, Chrome does a few confusing things: the site mentions 'tuta is now called tuta' instead of the normal message 'tutanota is now called tuta'. Also does it popup a message that there's a new version, which is weird for a webapp that I haven't installed. Also does Chrome report that the certificate expired last January, but Chrome doesn't see this as an error. Comparing against my tablet, but there the site and cert are all good. Checking again on my phone and all these issues are gone. Hence no screenshots. The app still doesn't connect however...

Turned out I had disabled some root certificates on my phone, including the one Tuta, via Let's Encrypt, uses: ISRG Root X1. Enabling that one and all was fixed.

Now I'm just confused. I made that change years ago. Why did the tuta app only last month have problems with it? Did their root change? And why doesn't Chrome protest, since I use a lot of Let's Encrypt certificates. And why did Chrome first give me this expired certificate? Has to be a cache thing plus Chrome maybe having its own list of CAs.