I think I found the “problem”.
Since I’m using a separate nginx instance as my main, I hadn’t added autoconfig and autodiscover to the proxy hosts. Now after adding them pointing to mailcow’s nginx, Thunderbird is almost instant at retrieving the configuration but now it detects the servers as “mail.domain.com”, is this normal? I mean it works but I would have liked more to have it using it’s correct subdomain for each protocol instead of mail but that’s purely esthetic.
So before Thunderbird took several seconds and detected (I guess by just trying):
IMAP: imap.something.org
SMTP: smtp.something.org
Now it detects:
IMAP: mail.domain.com
SMTP: mail.domain.com
And now I don’t have the cert problem.
Inspecting the PHP code for autodiscover I see it uses 'server' => $mailcow_hostname,
for everything so I guess mail.domain.com
it’s OK