After contacting Sectigo, I had to install a CA bundle with cross-signed intermediate chain certificate AND delete the new root certificate on the server. That did the job. Thanks to all who helped.

Ok - should have checked this sooner but I normally use iOS 16 on simulators and actual device to check for backward compatibility. iOS 17 and 18 actually work with simulators. I would guess this is because iOS 16 and earlier doesn't have Sectigo root certificates loaded (found on other posts once I knew what I was looking for). Not sure there is any way around this??

So the connection succeeded first time but failed second time with the following error. Messages changed but similar results. Not sure what that tells us. 2025-09-12 12:33:32.650932+0100 locateandclock[2832:2071478] Connection 2: default TLS Trust evaluation failed(-9813) 2025-09-12 12:33:32.651119+0100 locateandclock[2832:2071478] Connection 2: TLS Trust encountered error 3:-9813 2025-09-12 12:33:32.651175+0100 locateandclock[2832:2071478] Connection 2: encountered error(3:-9813) 2025-09-12 12:33:32.706852+0100 locateandclock[2832:2071478] Task .<2> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9813]) 2025-09-12 12:33:32.723928+0100 locateandclock[2832:2071541] Task .<2> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “xxxxxxxxxxx.co.uk” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x10881e600) s: *.xxxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10881f000) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10881fa00) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxxxxxxxxxxx.co.uk/insertclocking, NSErrorFailingURLStringKey=https://xxxxxxxxxxxxx.co.uk/insertclocking, NSUnderlyingError=0x282a1a0d0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2815745a0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=( "<cert(0x10881e600) s: *.xxxxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10881f000) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10881fa00) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask .<2>" ), _kCFStreamErrorCodeKey=-9813, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask .<2>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x2815745a0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “easylogservers.co.uk” which could put your confidential information at risk.}