Also to add, if the device also doesn't recognise the root certificate it won't work, you would need to combine the pem and the root cert (from https://letsencrypt.org/certs/isrgrootx1.pem) into one file (its just text, use notepad), I had to do that for a few devices to get them to connect properly
Check out https://letsencrypt.org/certificates/ , it's a little technical but goes through how it works. Certbot is only LetsEncrypt certs afaik.
As you're using a public root cert all you should need to do is put the pem file (I think its the one linked at https://letsencrypt.org/certs/lets-encrypt-r3.pem) onto your device (the ESP32) and when you set TLS up in your device it'll ask for a CA cert, point it to the pem.
You should be good for a while, the 90 day refresh on the server won't impact it until they update their certificate process.
You can whilte label and host Bevywise IoT Platform and provide individual logins to your customers. Each one of your customer can have their own rules and custom dashboard for the data received from their own devices. You will also be able to control your customers and their devices from the common Admin console.
You need to setup a MQTT broker (or use a online one)
You need to browse to your sonoff device (web browser) and set in the MQTT server and user/password there.
Once that is done you need to setup HA to work with MQTT that is fairly simple:
https://home-assistant.io/components/switch.mqtt/
For help on HA I recommend Ben, he has a heap of good videos: https://www.youtube.com/channel/UCLecVrux63S6aYiErxdiy4w
You might want to take a look at OwnTracks.
In short it's an open-source project for transmitting location data (and more) to an MQTT server, but they do a better job of explaining it in their docs: https://owntracks.org/booklet/guide/whathow/
I don't think aedes supports security on channels from what I've seen, but you can look into ACL support for mosquitto https://mosquitto.org/man/mosquitto-conf-5.html if you want to see how it can be done.
You can look up the "Mosquitto" which is an open-source implementation developed by Eclipse. It could build the broker and clients and it allows you to enable ACL and TLS authentication(an encryption protocol based on pub/private keys) features. Here is the link https://mosquitto.org/
Hope this is helpful.
I use the MQTT Consumer Telegraf Input Plugin for this. Telegraf is a tool which allows you to read data into InfluxDB (a time-series database which is supported by Grafana) through plugins. Basically the plugin allows you to subscribe to different MQTT topics (even on different brokers) and put those in the database, which you can then graph using Grafana.
update: https://play.google.com/store/apps/details?id=com.app.vetru.mqttdashboard supports client authentication (at least i can select client cert and key). But I did not yet manage to successfully connect to my server.