On FreeBSD we use the Firefox NSS
root CA's. The following errors I get when trying to reach it manually from my system:
Certificate verification failed for /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.emby.tv
34370523136:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
When I use Chrome on Windows 10 I can surf to it perfectly fine. Checking with SSL labs it should be trusted by Mozilla ...
It seems the full chain cert is not served to clients (chain incomplete) & wrong HSTS header policy. Not sure if any of those have anything to do with it. Forcing it is one solution although not the correct one IMO.