MQTT certificates verification fails

I'm been desperately trying to get my MQTT clients to connect to my MQTT broker which is set up with a certificate from a CA (Letsencrypt).

To be able to get the CA certificate, I've used the letsencrypt python command (https://pypi.python.org/pypi/letsencrypt/0.4.1)

./letsencrypt-auto certonly -d www.myserver.com

This has given me:

lrwxrwxrwx 1 root root   41 Mar  6 23:50 cert.pem
lrwxrwxrwx 1 root root   42 Mar  6 23:50 chain.pem
lrwxrwxrwx 1 root root   46 Mar  6 23:50 fullchain.pem
lrwxrwxrwx 1 root root   44 Mar  6 23:50 privkey.pem

These files I am also using for the SSL encryption on my website (apache2) which seems to work just fine as in my conf file:

SSLCertificateFile /etc/letsencrypt/live/www.server.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.server.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

And when going on my webserver, I see the SSL icon, and it works.

Now, when I put these files inside my /etc/mosquitto/mosquitto.conf:

cafile /etc/letsencrypt/live/www.myserver.com/fullchain.pem
certfile /etc/letsencrypt/live/www.myserver.com/cert.pem
keyfile /etc/letsencrypt/live/www.myserver.com/privkey.pem

And I was able to start the broker, v1.4.8 fine:

[ ok ] mosquitto is running.

and from the log:

1457462631: mosquitto version 1.4.8 (build date Sun, 14 Feb 2016 15:06:55 +0000) starting

Yet, when I try to subscribe to the test topic, to, well, test, using this command from the client:

mosquitto_sub version 1.4.8 running on libmosquitto 1.4.8.

Running command:

root@titan:~# mosquitto_pub -h www.myserver.com -p 8883 -t test --cafile /etc/letsencrypt/live/www.myserver.com/fullchain.pem

It mentions in my command line:

Unable to connect (A TLS error occurred.).

A more curious look inside to mosquitto.log file reveals me:

1463562141: Socket error on client <unknown>, disconnecting.
1463562154: New connection from X.X.X.X on port 8889.

Which gives me surprising little information. A python script I use from a website gives me a little bit more information;

Python script:

import os, subprocess, socket, sys, time, struct import *
import paho.mqtt.client as mqtt

dir = "/etc/letsencrypt/live/www.server.com/"

def on_connect(mqttc, obj, flags, rc):
    if rc != 0:
        exit(rc)
    else:
        mqttc.disconnect()

def on_disconnect(mqttc, obj, rc):
    obj = rc

run = -1
mqttc = mqtt.Client("08-ssl-connect-crt-auth", run)
mqttc.tls_set(dir + "fullchain.pem", dir + "cert.pem", dir + "privkey.pem")
mqttc.on_connect = on_connect
mqttc.on_disconnect = on_disconnect

mqttc.connect("www.server.com", 8889)
while run == -1:
    mqttc.loop()

exit(run)

And this returns me:

ssl.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I'm at a loss here. This makes no sense to me! Any help is appreciated!

Using mosquitto_pub --insecure ... helped us figure out what was going on with our situation. We are using a Wildcard certificate, so the hostname doesn't match.. I'm not sure how to ensure we're talking to the correct server now, though.. ? Also, some clients (windows docker/moby) mosquitto_pub works (without --secure), while some clients don't work (raspian, fedora).