@mouse Was it signed by the external Certificate Authority? If not, then your rootCA is still self-signed. The fact that you must place the rootCA in each node means that rootCA is not well known CA.
Could you check this solution? Placing your root CA in Java’s keystore may solve your issue.