Mosquitto with SSL and wildcard certificate does not work without --capath option

Question

I have a MQTT server and wanted to start using SSL instead of plain MQTT. I configured the server correctly to use my wildcard certificate but it won't work without the --capath /etc/ssl/certs option. Additionally, my ZwaveJS2MQTT instance will not work over SSL (probably because of the missing certification path). I am using the wildcard certificate on multiple servers (Debian, OpenVPN...) and have never encountered such issue.

On the subscriber side:

pi@raspi1:~ $ mosquitto_sub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave"
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
^C
pi@raspi1:~ $ mosquitto_sub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" --capath /etc/ssl/certs
Client mosqsub|29078-raspi1.sm sending CONNECT
Client mosqsub|29078-raspi1.sm received CONNACK (0)
Client mosqsub|29078-raspi1.sm sending SUBSCRIBE (Mid: 1, Topic: zwave, QoS: 0)
Client mosqsub|29078-raspi1.sm received SUBACK
Subscribed (mid: 1): 0
Client mosqsub|29078-raspi1.sm received PUBLISH (d0, q0, r0, m0, 'zwave', ... (4 bytes))
test
^C

On the publisher side:

pi@raspi1:~ $ mosquitto_pub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" -m "test" 
Client mosqpub|29067-raspi1.sm sending CONNECT
Error: The connection was lost.
pi@raspi1:~ $ mosquitto_pub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" -m "test" --capath /etc/ssl/certs
Client mosqpub|29069-raspi1.sm sending CONNECT
Client mosqpub|29069-raspi1.sm received CONNACK (0)
Client mosqpub|29069-raspi1.sm sending PUBLISH (d0, q0, r0, m1, 'zwave', ... (4 bytes))
Client mosqpub|29069-raspi1.sm sending DISCONNECT

When running a test on my wildcare certificate, I see the following errors:

Certificates provided   3 (3600 bytes)
Chain issues    Incorrect order, Contains anchor
#2
Subject GlobalSign Root CA   In trust store
...
Valid until Fri, 28 Jan 2028 12:00:00 UTC (expires in 6 years and 5 months)
Key RSA 2048 bits (e 65537)
Issuer  GlobalSign Root CA   Self-signed
Signature algorithm SHA1withRSA   Weak, but no impact on root certificate
#3
Subject AlphaSSL CA - SHA256 - G2
...
Valid until Tue, 20 Feb 2024 10:00:00 UTC (expires in 2 years and 6 months)
Key RSA 2048 bits (e 65537)
Issuer  GlobalSign Root CA
Signature algorithm SHA256withRSA

The certification path shows this:

Path #1: Trusted
1   Sent by server  *.hostname.com
...
RSA 2048 bits (e 65537) / SHA256withRSA
2   Sent by server  AlphaSSL CA - SHA256 - G2
...
RSA 2048 bits (e 65537) / SHA256withRSA
3   Sent by server
In trust store  GlobalSign Root CA   Self-signed
...
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate

Answer 1

From the moquitto_pub/mosquitto_sub man page:

To enable TLS connections when using x509 certificates, one of either --cafile or --capath must be provided as an option.

The mosquitto command line tools do not have a default CA certificate source, so to enable TLS based connections you MUST provide a path to either a CA cert file or a directory of CA cert files.

And if providing a path to a directory of CA certs it must be prepared with the following:

For --capath to work correctly, the certificate files must have ".crt" as the file ending and you must run "openssl rehash " each time you add/remove a certificate.