Hi Rudy, thank you for your reply, I tried removing the last cert from fullchain.pem again but get (in the mosquitto logs):
1634186027: Socket error on client <unknown>, disconnecting.
1634186027: New connection from xxx.xxx.xxx.xxx on port 8883.
1634186027: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1634186027: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
and when I try using: openssl s_client -connect broker.avasmartgardens.com:8883 -servername broker.avasmartgardens.com I get:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = broker.avasmartgardens.com
verify return:1
---
Certificate chain
0 s:CN = broker.avasmartgardens.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFOjCCBCKgAwIBAgISBCu/fGiX2BfPhaHFA7j6V0wsMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTMxODM0NTNaFw0yMjAxMTExODM0NTJaMCUxIzAhBgNVBAMT
GmJyb2tlci5hdmFzbWFydGdhcmRlbnMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAlvmh+OAB0Xh3gMY+4m4FmsU03o2T2bzv2Pk+k0a3Q3+fbEpD
P/t3S4kjbbE5zardS6RjSMuFVVNgkklRvC1FkPf9C2oOHAWcklTeF9pjcFHVFtog
LEBu8c8j0AWkPhfokZVU93oBcDqGe0mfgx7EUYW22ESiW6n9sO5QSDjd/2UaItCz
nxl95JnFjO0GV67DUy05nBPNTWExiMfcH7Q8RtV0L7+iZ44Q3Z6Vz0sjLOhxLZno
rkBIt1KGAlGEyTCIvl6MdJVV2Egc4qNyc8jQUrqiVG/n0b/T3fmK8/MppaoBd7lO
f+JRiRRmvim7g10mNV0wi2rXrJ1oktrkdfQ+KwIDAQABo4ICVTCCAlEwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBSNDX01YbJZnEZp9mgZOJ/Ffd0i7jAfBgNVHSMEGDAW
gBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUH
MAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3Iz
LmkubGVuY3Iub3JnLzAlBgNVHREEHjAcghpicm9rZXIuYXZhc21hcnRnYXJkZW5z
LmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkC
BAIEgfUEgfIA8AB2AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAAB
fHsmidkAAAQDAEcwRQIgcYfsnIbrxNMnVvMw4PhFQlMQA0qz7zZseKFqDCBgH1cC
IQDbvUGv0pwOTjA+9yXvYCDvPSSYLJGgh8askm2NLGgxwAB2AEalVet1+pEgMLWi
iWn0830RLEF0vv1JuIWr8vxw/m1HAAABfHsmif8AAAQDAEcwRQIgIgR4UyQjSuLY
OxAZcS04XoIV7oYxetHS6s0pwMrne7UCIQCQfZs5g3yu3k0RFuYrQ9fv6SOxqZwR
8joy+cHqQX4P0TANBgkqhkiG9w0BAQsFAAOCAQEAAI0oMy7wOJ5x58Qol/XUqzig
R9DjAreIch9vdLc7bCoLPwItR8O1tcigHJJre2dMdvyoQ1hXoyCjM/DpURmgd0e0
0vHoyu0Z4QYPEold8ZbnaLFWpenFHvliWp2AjRFytzXKLrp0NvwoJq99WILXWo1X
rlIFXeWMeccY5+P0SCIpEvY9Sadiln+sBfkdo7bBty9/2gggCkMVccw2PRjqs8Wg
X9N1RwBI7Yyw4ESVsrA5SyvwY9miU33h2yBstCN15gKZ1i18qmQ3zopFWnVhBcZn
CLwDrXr32W19JbnRRwqTgu3Hx3whvg1Jg4LBGjd3PEleQn3axs3CUkKdedm0vA==
-----END CERTIFICATE-----
subject=CN = broker.avasmartgardens.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3337 bytes and written 444 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FC4E7FAECEDFAE81B32CFD93F36C9A91157E082EEE941D7ED3F6EF7446CB30E5
Session-ID-ctx:
Master-Key: 22737277F3C2971C78227C226A508675029AE97AAA8878989332702F2E9610BAFDCB198C16078848E48595044064F2FE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b8 ee ec 0c 55 44 a0 74-f2 b0 55 b3 5c e6 db b5 ....UD.t..U.\...
0010 - 48 8f dc ab af 4f 0d 01-a0 da f5 4a 04 df c9 52 H....O.....J...R
0020 - 85 8c 45 10 3a ed 00 00-3f 64 7a 83 02 78 ef 42 ..E.:...?dz..x.B
0030 - 38 e6 f2 78 18 4e 81 61-04 ad 3c 89 e7 df f0 b3 8..x.N.a..<.....
0040 - 84 85 db ff 63 41 92 30-b2 a2 70 fe c4 39 87 90 ....cA.0..p..9..
0050 - 85 88 d3 d4 f0 6b fb bb-61 f6 81 65 63 85 81 94 .....k..a..ec...
0060 - b8 7d 9c cb 44 36 eb df-e8 54 68 6e 4e 01 7a 8e .}..D6...ThnN.z.
0070 - dc 68 68 fd ea 94 a9 c0-ef b6 59 f2 89 01 f2 cf .hh.......Y.....
0080 - b6 14 d7 c3 b3 a8 a4 7d-68 46 88 22 a7 a5 c1 53 .......}hF."...S
0090 - f5 8f df 62 25 9c 7e 42-18 d5 71 aa 32 46 2f 55 ...b%.~B..q.2F/U
00a0 - bc 36 9b b8 8f 30 a4 4c-6f c0 95 0c f8 2f d8 26 .6...0.Lo..../.&
00b0 - b5 a5 b1 f9 b3 c1 a0 8c-94 b9 69 bd 31 ac 73 2e ..........i.1.s.
Start Time: 1634186022
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
closed
I've upgrade certbot to version 1.20.0. Unfortunately it looks like I have been rate limited for the time being as I've tried to renew the certificates too many times
In regards to your other point, I've updated openssl to the latest version supported for Ubuntu 16.04 which is 1.02g-1ubuntu4.20