looks like i found a solution.
according to this:
we can remove the invalid X3 certificate.
then make nodejs use the system-wide installed openssl-ca certificates.
detailed steps, some instructions from [1]
1. check for certificates
a) check if you have the invalid X3
on rpi
$ grep X3 /etc/ca-certificates.conf
mozilla/DST_Root_CA_X3.crt
if your output matches this, you have the invalid X3 certificiate
b) check if you have the valid X1 certificate
on rpi
$ grep X1 /etc/ca-certificates.conf
mozilla/ISRG_Root_X1.crt
if your output matches this, you have the valid X1 certificiate and can skip to 3.
2. if you lack the X1 certificate
install ca-certificates (20210119) from Debian – Details of package ca-certificates in bullseye
on rpi
$ wget http://ftp.de.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20210119_all.deb
$ sudo dpkg -i ca-certificates_20210119_all.deb
3. disable invalid X3
on rpi
$ sudo sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf && sudo update-ca-certificates -f
4. edit plexamp.service and add --use-openssl-ca
on rpi
$ sudo systemctl edit --full plexamp
and add --use-openssl-ca so it looks similar to
ExecStart=/usr/bin/node --use-openssl-ca /home/pi/plexamp/server/server.prod.js
5. set clock to ntp again and check if the date is correct
on rpi
$ sudo timedatectl set-ntp true
$ date
Fri 08 Oct 2021 09:45:11 AM CEST
6. restart plexamp
on rpi
$ sudo systemctl restart plexamp
