I have changed the SSL_CTX_use_certificate_file() calls to SSL_CTX_use_certificate_chain_file(), but wasn't able to reproduce the failure you were seeing before the change was made.
If you generate the certificates using the gen.sh script in the attachment, but modify the line
(i.e. no root certificate), then using "mosquitto -c cafile-ok.conf" matches the scenario you describe in comment #4. This doesn't result in verification failure for me. If you can describe how what you are doing is different, then I may be able to reproduce the problem.
I have changed the SSL_CTX_ use_certificate _file() calls to SSL_CTX_ use_certificate _chain_ file(), but wasn't able to reproduce the failure you were seeing before the change was made.
If you generate the certificates using the gen.sh script in the attachment, but modify the line
cat test-signing-ca.crt test-inter-ca.crt test-root-ca.crt > all.crt
to
cat test-signing-ca.crt test-inter-ca.crt > all.crt
(i.e. no root certificate), then using "mosquitto -c cafile-ok.conf" matches the scenario you describe in comment #4. This doesn't result in verification failure for me. If you can describe how what you are doing is different, then I may be able to reproduce the problem.