We've seen cases where the Certificate contains fields that are improperly encoded, leading to this issue. E.g. Issue 778160

It'll be a bit before I can do a deeper dive, but certainly, the certificate invalidly encodes an IP Address in a dNSName SAN, which is not valid.

There are also duplicate authorityKeyIdentifier extensions - which violates RFC 5280

"A certificate MUST NOT include more than one instance of a particular extension."

What URL are you attempting to load? The SAN extension does not contain the "MyPLC1" hostname that is present in the CommonName.

SEQUENCE(2 elem)
OBJECT IDENTIFIER2.5.29.17subjectAltName(X.509 extension)
OCTET STRING(1 elem)
SEQUENCE(2 elem)
Offset: 693
Length: 2+21
(constructed)
Value:
(2 elem)
[7](4 byte) C0A802E1
[2]192.168.2.225

CA certificate contains the following errors:
cablint	ERROR	basicConstraints must be critical in CA certificates
cablint	ERROR	CA certificates must include keyUsage extension
cablint	ERROR	CA:TRUE without keyCertSign
cablint	ERROR	Serial number must be positive
cablint	WARNING	CA certificates should not include subject alternative names
cablint	WARNING	Deprecated Netscape extension 2.16.840.1.113730.1.13 treated as opaque extension
cablint	WARNING	Serial numbers should have at least 20 bits of entropy
cablint	INFO	CA certificate identified
x509lint	ERROR	Serial number not positive
zlint	ERROR	basicConstraints MUST appear as a critical extension
zlint	ERROR	Root and Subordinate CA certificate keyUsage extension MUST be present
zlint	ERROR	Root CA certificates MUST have Key Usage Extension Present
zlint	ERROR	The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.
zlint	WARNING	Effective September 30, 2016, CAs SHALL generate non‐sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.

Site certificate contains the following errors:
cablint	ERROR	BR certificates must be 39 months in validity or less
cablint	ERROR	BR certificates must include certificatePolicies
cablint	ERROR	BR certificates with organizationName must include either localityName or stateOrProvinceName
cablint	ERROR	commonNames in BR certificates must be from SAN entries
cablint	ERROR	Duplicate extension 2.5.29.35
cablint	ERROR	Unknown TLD in SAN
cablint	WARNING	Certificate does not include authorityInformationAccess. BRs require OCSP stapling for this certificate.
cablint	WARNING	Duplicate SAN entry
cablint	WARNING	Extension should be critical for KeyUsage
cablint	WARNING	Serial numbers should have at least 20 bits of entropy
cablint	WARNING	TLS Server certificates must include serverAuth key purpose in extended key usage
cablint	INFO	TLS Server certificate identified
x509lint	ERROR	Duplicate extension
x509lint	ERROR	IP address in dns name
x509lint	ERROR	no authorityInformationAccess extension
x509lint	ERROR	No OCSP over HTTP
x509lint	ERROR	No policy extension
x509lint	ERROR	Subject with organizationName, givenName or surname but without stateOrProvince or localityName
x509lint	ERROR	The certificate is valid for longer than 60 months
x509lint	WARNING	No HTTP URL for issuing certificate
x509lint	WARNING	Subscriber certificate without Extended Key Usage
x509lint	INFO	Subject has a deprecated CommonName
x509lint	INFO	Unknown validation policy
zlint	ERROR	A certificate MUST NOT include more than one instance of a particular extension
zlint	ERROR	CAs MUST NOT issue subscriber certificates with validity periods longer than 39 months regardless of circumstance.
zlint	ERROR	DNSNames must have a valid TLD.
zlint	ERROR	Effective October 1, 2016, CAs must revoke all unexpired certificates that contains a reserved IP or internal name.
zlint	ERROR	Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.
zlint	ERROR	Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.
zlint	ERROR	Subscriber certificates must contain at least one policy identifier that indicates adherence to CAB standards
zlint	ERROR	Subscriber certificates MUST have the extended key usage extension present
zlint	ERROR	Subscriber Certificate: subject:localityName MUST appear if subject:organizationName, subject:givenName, or subject:surname fields are present but the subject:stateOrProvinceName field is absent.
zlint	ERROR	Subscriber Certificate: subject:stateOrProvinceName MUST appear if the subject:organizationName, subject:givenName, or subject:surname fields are present and subject:localityName is absent.
zlint	ERROR	Subscriber Certiifcate: authorityInformationAccess MUST be present, with the exception of stapling.
zlint	ERROR	The common name field in subscriber certificates must include only names from the SAN extension
zlint	WARNING	Effective September 30, 2016, CAs SHALL generate non‐sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.
zlint	WARNING	Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the issuing CA’s certificate
zlint	WARNING	The keyUsage extension SHOULD be critical
zlint	NOTICE	Subscriber Certificate: commonName is deprecated.

SEQUENCE(2 elem)
OBJECT IDENTIFIER2.5.29.17subjectAltName(X.509 extension)
OCTET STRING(1 elem)
SEQUENCE(2 elem)
Offset: 693
Length: 2+21
(constructed)
Value:
(2 elem)
[7](4 byte) C0A802E1
[2]192.168.2.225

Thanks for investigating my issue! 
To answer the questions above:
Our machines (SIEMENS SIMATIC PLCs) do not support DNS yet. They are using the ip address only. So we add the ip address to the SAN as IP (0x87) for e.g. Chrome and Firefox. For IE11 we have to add the ip address as DNS (0x82), too. There you see an problem. The common name is user defined (here: MyPLC1) and should be irrelevant to new browsers (SAN should be used).

> They are using the ip address only.

That is to say, the URL you're attempting to load is of the form https://1.2.3.4/whatever?

Adding the IP as a DNSName is not necessary and not correct. Please see https://cabforum.org/guidance-ip-addresses-certificates/ which provides guidance on how to ensure maximal interoperability with the use of IP address-bearing certificates - supporting systems that do support iPAddress SANs (Chrome, Firefox) and those that do not (IE11)

For clarity, the misconfiguration noted in #7 isn't causing the current problem, is it?

The Issue in Comment 3 is causing extension parsing to fail, which causes SAN extraction to fail, but the issue in Comment 7 would prevent a SAN match.

To comment 6: Yes, we are using ip addresses only, e.g. https:/192.168.2.220
To comment 9: We removed the duplicate extension; now it works!
To comment 7: After removing the duplicate extension, Chrome does not fail with parsing the SAN "DNS=ip address". Will it tolerate it in future, too?

We don't see the problem with using an IP address as DNS. For us it is a valid DNS name; Windows and Linus address resolver do resolve it properly.

And yes, we will have a look into the guide mentioned in comment 7.

Thanks a lot for your help! Your browser is great and really fast :-)

To avoid issues, you should use the advice given in Comment #7.

That is, a CN=[IP], SAN=[iPAddress:IP] is the correct way to issue IP address certificates that work ubiquitously across clients. Other combinations will cause issues.

Closing this issue, as I don't believe there is an actual bug here to fix.