The CA root, if it isn't already present.
Have already tried that, as mentioned. Hence my approaching the list for further advice.
You also need to ensure that the "certificate_file" option under the eap{} module contains the server and all intermediate certs (you don't need to put the root on there).
Will go double check....
If you've done that, then either there's something wrong with the certs, or something wrong with the client. Since it's the client complaining, you'll need to debug the client.
There's nothing wrong with the certs, they work perfectly well with EAP-TLS. If you've got ideas for debugging an Amazon Paperwhite, I'd love to hear them !
What is the client?
Amazon Paperwhite. I'm broadly trying to follow the hints here (https://tribut.de/blog/amazon-kindle-and-eduroam/) although this isn't being connected to Eduroam.