I also guess it could be caused by a server certificate which is signed by a CA.
Many OPC UA servers send only the leaf certificate, but the client must be able to resolve the full certificate chain.
All certificates of the chain must be either in the trusted (at least one) or in the issuer list.