The error message "certificate unknown" is generated by OpenSSL in cases, where a client refuses to work with this certificate. I would not be surprised, if you get this error just from requests of certain clients (browser).
if you want to know what's going on, use a command like the following (replace https://openacs.org with your site)
curl -v https://openacs.org 2>&1|less
Probably, curl allows the self-signed certificate.
The better approach is to get a real certificate, since newer browser are getting increasingly unhappy with insufficient secured certificates. We use on openacs.org a Let's Encrypt certificate, installed via the letsencrypt module of NaviServer.
