by Matteo Scaramuccia.
Hi Stephen,
try to look at the CAs chained on both the certificates: there are some examples about how to do it, here in the Community e.g. https://moodle.org/mod/forum/discuss.php?d=361822#p1459168 or in the net, e.g. https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ .
It could be also a problem on the FQDN used vs what issued in the certificate when accessing from inside vs from outside.
HTH,
Matteo