>>> Can anyone reassure me or correct me on that?
>> 
>> The 20 does not represent a SqueakSSL error code but an OpenSSL one:
>> 
>>      20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
>>          the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
>> 
>> Which probably means that openssl does not find the COMODO issuer cert in its location.
>> Maybe we also did not set the path to the local cert store correctly...
>> 
>> When I use openssl s_client from macOS 10.12 OpenSSL (0.9.8), I get a similar result: 
>> 
>> $ openssl s_client -connect sagetea.ai:443
>> CONNECTED(00000003)
>> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = sagetea.ai
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ....
>> 
>> same for OpenSSL 1.1 and LibreSSL.
>> 
>> So, unless you have the Comodo intermediate Cert somewhere in a local cert store, 20 is correct.
> 
> Aaand this is a common thing since >5 years:
> 
> 	https://stackoverflow.com/questions/25213923/ssl-site-and-browser-warning#25214924

And one More: curl on my Linux box does also no know about that cert:

% curl https://sagetea.ai
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
zsh: exit 60    curl https://sagetea.ai

(on mac, this works as it uses SecureTransport, if I'm not mistaken...)

Best regards
	-Tobias