Android Notakey Authenticator application
Solution on client side:
On the Android you can manually disable the certificate "Digital Signature Trust Co. - DST Root CA X3".
Go to "Settings > Security > Encryption & credentials" > Trusted credentials"
Scroll down and disable "Digital Signature Trust Co. - DST Root CA X3"
Solution on server side:
Latest updates include fix for chain issues. First install all latest updates with "ntk sys update" as usual. You will have to run this command multiple times to update all components. To acquire a fresh certificate, run "ntk rp resettls" followed by "ntk rp restart" and wait until certificate is provisioned by checking your service URL (https://mfa.example.com/api/health).
RADIUS Auth Proxy
If using auth-proxy service for remote API that is using Let's Encrypt and logs are showing "Error: TrustFailure", update to latest version with command "ntk sys update". Ensure that you have applied solution on API server side too, as the default chain provided by builtin rp service is not valid.
A handy tool to diagnose certificate issues is https://www.ssllabs.com/ssltest/.