Please also set cacertfile to chain.pem
You may also set certfile to cert.pem instead of fullchain.pem

listener.wss.external.keyfile = /etc/letsencrypt/live/xxxx.com/privkey.pem

listener.wss.external.certfile = /etc/letsencrypt/live/xxxx.com/cert.pem

listener.wss.external.cacertfile = /etc/letsencrypt/live/xxxx.com/chain.pem

参考 https://github.com/emqx/emqx/issues/2306

https://webcache.googleusercontent.com/search?q=cache:6Jlnb2l5RJQJ:https://medium.com/%40emqtt/using-lets-encrypt-certificates-in-emq-b11e0e57efa6+&cd=1&hl=en&ct=clnk

…