self-made certs not quite right

I'm trying to follow instrux in V12:18.9.5 Creating Certificates. [1]https://www.postgresql.org/docs/12/ssl-tcp.html

I'm stuck in my basement so all references to "/CN=FQN" have been set to
$(hostname), just the hostname, because $(domainname) returns "(none)"
which I presume is akin to null.

With my newly minted certs and keys using psql (to either $(hostname) or
localhost) I get the "SSL connection (protocol: TLSv1.3...) message, so
long as I have an empty ~/.postgresql directory. If I copy the
generated root.crt to ~/.postgresql (chown me.me; chmod 400) I get a
plain connection (no ssl).

With root.crt in ~/.postgresql, testing the jdbc connection from a
tomcat server generates this failure (again either localhost or $(hostname))
Blow out on db connection to jdbc:postgresql://localhost:5432/postgres;
SSL error: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
org.postgresql.util.PSQLException: SSL error: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

Is this a pkcs v. pem cat fight? Or is there enough here to tell which
step went south, or just start over?

[1]: https://www.postgresql.org/docs/12/ssl-tcp.html