FCM and self-certificate issue (reopen)

问题

I'm using FCM to send a notification, my code works well when I use HTTP. The issue happened when I enable SSL using self-certificate, I cannot call subscribe/unsubscribe to/from a topic on FCM with error UNKOWN code.

Any idea this issues please help

I'm trying to debug so I can get access-token but cannot call sub/unsubscribe

This is the request to get access-token

2020-12-02T16:06:24.192Z|2|INFO|fcm-demo|c5230eb4f07f582a,9b72559f0d3b8e39,true,|9|task-2|com.google.api.client.http.HttpTransport|curl -v --compressed -X POST -H 'Accept-Encoding: gzip' -H 'User-Agent: Google-HTTP-Java-Client/1.35.0 (gzip)' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -d '@-' -- 'https://oauth2.googleapis.com/token'  << $$$
2020-12-02T16:06:24.320Z|2|INFO|fcm-demo|c5230eb4f07f582a,9b72559f0d3b8e39,true,|9|task-2|com.google.api.client.http.HttpTransport|Total: 1,123 bytes
2020-12-02T16:06:24.321Z|2|INFO|fcm-demo|c5230eb4f07f582a,9b72559f0d3b8e39,true,|9|task-2|com.google.api.client.http.HttpTransport|grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk4NWUyNWI4ODc0ZDkwMDg4NWJjZWJiZWNmMzg2MjVkMTRmYTNhMWUiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL29hdXRoMi5nb29nbGVhcGlzLmNvbS90b2tlbiIsImV4cCI6MTYwNjkyODc4NCwiaWF0IjoxNjA2OTI1MTg0LCJpc3MiOiJmaXJlYmFzZS1hZG1pbnNkay03bnZvaEBhc2NlbmQtZGV2LXRlc3QuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvZmlyZWJhc2UuZGF0YWJhc2UgaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vYXV0aC91c2VyaW5mby5lbWFpbCBodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2lkZW50aXR5dG9vbGtpdCBodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9hdXRoL2RldnN0b3JhZ2UuZnVsbF9jb250cm9sIGh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvY2xvdWQtcGxhdGZvcm0gaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vYXV0aC9kYXRhc3RvcmUifQ.jnqKQhzxSkSvX5aKumAN1sJPk07l-IWYfCVi5O_Pxh4SQ0-mSrBEdtUXIXKilECB6Mdhg7dMu4zjewUHaFFLfqT6JYnZkAX3ByjKxjW6IP0RdclxV_cN8H-RRmgQkIdm5NX5OgfvGMZskU-Pwoly5QRVoppnJfr5tndbBCkXdB1FTdzcQr61yAnzGfb9b4NDXFeLrftQzMs2psRxtswIluryjOt_uZoaxyc0NRU3iVc28pKIuGH5z6wAQMfVUtySyec0jdgzPMA2ppGL6Jp8ZwVL7tpbPeKZvWfHgeAVVoFUgCqn8bdvmJ0skGKJjZrkzpjNcDhMJLcM78ZPRmsU_A
2020-12-02T16:06:24.358Z|2|INFO|fcm-demo|c5230eb4f07f582a,9b72559f0d3b8e39,true,|9|task-2|com.google.api.client.http.HttpTransport|-------------- RESPONSE --------------
HTTP/1.1 200 OK

and this is the request to call subscribe a topic

2020-12-02T16:06:24.394Z|2|INFO|fcm-demo|c5230eb4f07f582a,9b72559f0d3b8e39,true,|9|task-2|com.google.api.client.http.HttpTransport|-------------- REQUEST  --------------
POST https://iid.googleapis.com/iid/v1:batchAdd 
Accept-Encoding: gzip
Authorization: <Not Logged>
User-Agent: Google-HTTP-Java-Client/1.35.0 (gzip)
access_token_auth: true
Content-Type: application/json; charset=UTF-8
Content-Length: 217

2020-12-02T16:06:24.394Z|2|INFO|fcm-demo|c5230eb4f07f582a,9b72559f0d3b8e39,true,|9|task-2|com.google.api.client.http.HttpTransport|curl -v --compressed -X POST -H 'Accept-Encoding: gzip' -H 'Authorization: <Not Logged>' -H 'User-Agent: Google-HTTP-Java-Client/1.35.0 (gzip)' -H 'access_token_auth: true' -H 'Content-Type: application/json; charset=UTF-8' -d '@-' -- 'https://iid.googleapis.com/iid/v1:batchAdd'  << $$$
2020-12-02T16:06:24.455Z|2|ERROR|fcm-demo|c5230eb4f07f582a,9b72559f0d3b8e39,true,|9|task-2|c.a.a.fcm-demo.client.FirebaseClient|Subscribe to topic [topic-0019] - failed with error code [UNKNOWN], messaging error code [null], message [Unknown error while making a remote service call: Connection reset]

What I do not understand that I can get access token but not able to call sub/unsubscribe API

Note:

Network should no problem because I get the access-token
Self-certificate may not issue because I can communicate with OAuth API to get token (not sure, because OAuth vs iid google instance maybe require different TLS)

ENV/Lib: