Mosquitto TLS, works with MQTTfx but not mosquitto_pub (tlsv1 alert unknown ca)

Question

Quite strange issue

I have mosquitto broker working with TLS

It is correctly accessible by an MQTTfx client set up for 'Enable SSL/TLS, TLSv1.2, CA certificate file'

The same ca.crt file is used by a openwrt mosquitto client issuing

 # mosquitto_pub -h x.x.x.x -p 8883 --cafile /etc/mosquitto/certs/ca.crt -i 1.1.1.1 -t test -m 123 -d

it returns

Client 1.1.1.1 sending CONNECT
Error: A TLS error occurred.

At the orher end, the broker, shows

OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client (null), disconnecting.

What is messing me up is the fact that the MQTTfx client instead is accepted, and it's using the same certificate..!

New connection from y.y.y.y on port 8883.
New client connected from y.y.y.y as 180ce1c04c1944e1964608221efbcf0a (c1, k60).
Sending CONNACK to 180ce1c04c1944e1964608221efbcf0a (0)

Should mean that the certificate is valid and trusted... isn't it? What's wrong then with the other client using the exact same certificate file ?!?!

Answer 1

...at the end using --insecure option did the job.

Means verification of the server hostname in the server certificate. Well it works, although using this option in a production environment potentially invalidates the use of encryption.