sudo apt install mosquitto mosquitto-clients mosquitto-dev

Stop and disable mosquitto server for now. Later start it using `runit'

/etc/init.d/mosquitto stop
update-rc.d mosquitto disable
systemctl disable mosquitto
systemctl mask mosquitto

Create and edit local config

vi /etc/mosquitto/conf.d/local.conf

Add the following

listener 1883
allow_anonymous true

Create password file and add a user

touch /etc/mosquitto/pwfile
mosquitto_passwd -b /etc/mosquitto/pwfile username password

Create and edit local config

vi /etc/mosquitto/conf.d/local.conf

Add the following

listener 8883
allow_anonymous false
password_file /etc/mosquitto/pwfile

certfile /etc/mosquitto/certs/cert.pem
cafile   /etc/mosquitto/certs/fullchain.pem
keyfile  /etc/mosquitto/certs/key.pem

#! /bin/bash
sleep 1

#LOG
exec 2>&1
ulimit -l unlimited
ulimit -i unlimited
ulimit -q unlimited
ulimit -n 8192
ulimit -aH

#RUN
mkdir -p /var/lib/mosquitto
chown -R mosquitto:mosquitto /var/lib/mosquitto
mkdir -p /var/log/mosquitto
chown -R mosquitto:mosquitto /var/log/mosquitto
mkdir -p /run/mosquitto
chown -R mosquitto:mosquitto /run/mosquitto
exec /usr/sbin/mosquitto -c 

mosquitto_sub -h 192.168.0.13 -t '#'

mosquitto_sub -v -h hostname.example.com -p 8883 -u username -P password -t '#'

The hostname must match the name in the TLS certificate.