Ah ok, I think we’ve found the issue. So first of all, the value that goes in certfile in mosquitto is the certificate created by the step Generate the MQTT Server self-signed certificate. The value for keyfile is the file created right before that in the step Generate the MQTT Server private key. The certificate created by the step Generate the CA signed certificate to use in the MQTT Mosquitto Server is not used right now, that’s used to sign client certificates for mTLS.
Also looking at that certificate I see the subject is this:
Subject: C = <country>, ST = <state>, L = <city>, O = Home Assistant, OU = MQTT, CN = homeassistant, emailAddress = <email>
That CN value in the subject has to be server-hassio, that’s what it is trying to match with the hostname in the URL to verify. So you’ll have to redo that step to make a new certificate for mosquitto. Make sure to adjust the command in the Generate the MQTT Server self-signed certificate to this
openssl req -new -key mosq_serv.key -out mosq_serv.csr -subj "/C=your-country/ST=your-state/L=your-city/O=Home Assistant/OU=MQTT/CN=server-hassio/[email protected]"
(after filling in your blanks with your personal info)
You can re-use the same key as long as you still have the csr file. If you deleted that since its not used once you have the certificate then you’ll have to redo Generate the MQTT Server private key as well and copy both the key and crt files to mosquitto.