Expired certificate on pubsub.beta.kontalk.net

This happens again since a few weeks. I collected new debug logs with Prosody trunk nightly build 1253 (2020-04-14, 144a1ee24a4e) on a fresh start.

Apr 17 09:15:48 runnerPGipGubq  debug   creating new coroutine
Apr 17 09:15:49 socket  debug   server.lua: accepted new client connection from 46.101.92.252:57192 to 5269
Apr 17 09:15:49 s2sin55de1f28bb90       debug   Incoming s2s connection
Apr 17 09:15:49 runner7SpVUdo5  debug   creating new coroutine
Apr 17 09:15:49 s2sin55de1f28bb90       debug   Incoming s2s received <stream:stream from='pubsub.beta.kontalk.net' to='domain.de' version='1.0' xmlns='http://etherx.jabber.org/streams'>
Apr 17 09:15:49 s2sin55de1f28bb90       debug   Sending[s2sin_unauthed]: <?xml version='1.0'?>
Apr 17 09:15:49 s2sin55de1f28bb90       debug   Sending[s2sin_unauthed]: <stream:stream xmlns='jabber:server' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' from='domain.de' id='75dc148a-157b-4c6a-8b27-68254e63f8e4' version='1.0' to='pubsub.beta.kontalk.net' xmlns:db='jabber:server:dialback'>
Apr 17 09:15:49 mod_s2s debug   Sending stream features: <stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls><dialback xmlns='urn:xmpp:features:dialback'/></stream:features>
Apr 17 09:15:49 s2sin55de1f28bb90       debug   Sending[s2sin_unauthed]: <stream:features>
Apr 17 09:15:49 s2sin55de1f28bb90       debug   Received[s2sin_unauthed]: <starttls xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
Apr 17 09:15:49 s2sin55de1f28bb90       debug   Sending[s2sin_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
Apr 17 09:15:49 socket  debug   server.lua: we need to do tls, but delaying until send buffer empty
Apr 17 09:15:49 s2sin55de1f28bb90       debug   TLS negotiation started for s2sin_unauthed...
Apr 17 09:15:49 socket  debug   server.lua: attempting to start tls on tcp{client}: 0x55de1f20cd48
Apr 17 09:15:49 socket  debug   server.lua: ssl handshake done
Apr 17 09:15:49 s2sin55de1f28bb90       info    Stream encrypted (TLSv1.2 with AES256-GCM-SHA384)
Apr 17 09:15:49 s2sin55de1f28bb90       debug   Incoming s2s received <stream:stream from='pubsub.beta.kontalk.net' to='domain.de' version='1.0' xmlns='http://etherx.jabber.org/streams'>
Apr 17 09:15:49 s2sin55de1f28bb90       debug   certificate chain validation result: invalid
Apr 17 09:15:49 s2sin55de1f28bb90       debug   certificate error(s) at depth 0: EE certificate key too weak, self signed certificate