@edq37843, Let’s Encrypt isn’t going to sign your client certificates because there’s no way to verify their content (in the context of Let’s Encrypt’s automated processes). Let’s Encrypt can only sign your server certificates. (There’s a way to validate your control over the domain they refer to in an automated online process, but we don’t have a corresponding approach for the client certificates.)
So, you’ll still need to use self-signed certificates for the client certificate part of the process. A method for creating those self-signed certificates, including
ca-key.pem, is included in the tutorial that I linked to.
One could argue that client authentication rarely needs a publicly-trusted CA for security; whoever operates the service that’s accepting the client certificates is in a position to check their validity, issue them, and accept them, without having any outside party in the loop. For example, if you’re the administrator of the MariaDB server, you know who the authorized users of the server are, and you can issue certificates to them that you can configure the server to accept. On the other hand, a lot of Internet services do like outsourcing identity management, so maybe we’ll see some kind of outsourced identity provider issuing TLS client certificates one day.