Port 853 closed

[xgusto]

I recently installed docker adguard home. It works fine on LAN. I want to use adguard home outside LAN (I use VPN tunel WG) on Android 14.
In Android 14, I can only use private DNS and it doesn't work with IP address but with FQDN, which expects DOH or DOT.
I tried turning on encryption in adguard home settings. On another machine I generated cert.pem and key.pem, but adguard reports that
Certificate chain is invalid
When I try which ports are open, the output is

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
3000/tcp open ppp
8000/tcp open http-alt
8080/tcp open http-proxy

Port 853 is missing
On the local DNS server I use host overrides for the IP address of the server where adguard is installed, so in Android I can use the domain name.
By the way, docker runs in unprivileged LXC.
compose

version: "3"
services:
  adguardhome:
    image: adguard/adguardhome
    container_name: adguardhome
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 784:784/udp
      - 853:853/tcp
      - 3000:3000/tcp
    volumes:
      - ./workdir:/opt/adguardhome/work
      - ./confdir:/opt/adguardhome/conf
    restart: unless-stopped

[Deefstomp]

Please don't post any part of a real private key here! In your own interest.

To your question:

but adguard reports that
Certificate chain is invalid

This means there are certificates missing (parents), to the one you provided. Those are again individual blocks enclosed in ---Begin Cert--- and ---End Cert---. Usually they would be issued by your certificate provider and are intermediates between your cert and the root certificate.

Personally I'm using a different approach with Tasker (https://play.google.com/store/apps/details?id=net.dinglisch.android.taskerm) which automatically can disable DOT once you activate Wireguard or Wifi (trusted networks) and activate it again in any other circumstance.

[xgusto]

To begin with, I'll write.
The adguard home web interface works great with a wildcard certificate from LE. For example, I have a public domain example.com for which a wildcard certificate is issued and then I have many non-public domains
adguard.example.com
web1.example.com
web2.example.com
*.example.com

All my web servers (including the adguard interface) run behind a reverse proxy server.
This means that I connect to the adguard web interface via https with a valid certificate. However, the web interface runs on port 80 or 443.
DNS (DOH, DOT) runs on port 853.

I tried using a CA generated using mkcert. As a certificate, I used this (root.ca.pem + adguard.pem)

-----BEGIN CERTIFICATE-----
******************************
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
******************************
-----END CERTIFICATE-----

Certificate chain is invalid
I used it as a key.

-----BEGIN PRIVATE KEY-----
*****************************
-----END PRIVATE KEY-----

I still can't solve this problem.