In case anyone runs into a similar situation I started getting connection errors with Mqtt after the let’s encrypt root certificate expired today. To fix it I had to switch the CA file to the self signed certificate from here https://letsencrypt.org/certs/isrgrootx1.pem.
The certificate chain I got with the acme client on the mqtt broker had the cross signed version of that certificate which didn’t work for home assistant.
Thank you, this was infuriating and I was tired of poking at it. Your solution worked. Maybe eventually I’ll have the mental energy to look at it again for a more long term solution 
I think there is a way to tell your let’s encrypt client to pull down the self signed version of the CA referenced above instead of the cross signed version. I believe the cross signed certificate is just for compatibility with older devices.
It’s actually the same.
The issue here is the CA certificate that is used to validate the root cert of letsencrypt, e.g. the one you specify in HA MQTT configuration.
As the X3 is expired, you cannot validate the cross-signature anymore, so you have to use the X1 from letsencrypt itself.
That’s the long term proper solution (at least until 2035, when the letsencrypt X1 expires 
)
New day, renewed patience!
I used the following to request a cert with an alternative path that removes legacy support (and fixes mosquitto!):
sudo certbot certonly --preferred-chain "ISRG Root X1" -d my.domain.com
Note: I had to completely remove my old cert before running the above command. sudo rm -rf /etc/letsencrypt/live/my.domain.com /etc/letsencrypt/archive/my.domain.com /etc/letsencrypt/renewal/my.domain.com
Note 2: You need certbot >= 1.12.0 to use the --preferred-chain flag. (ref: here)
After obtaining the new cert I was able to remove the cafile config entry from my broker and the bridge_cafile config entry pointing at the root you linked me to on my clients.