I am trying to setup mosquitto MQTT server using TLS1.2 using lets encrypt certificates.

I have installed mosquitto and setup lets encrpypt. My /etc/mosquitto/conf.d/default.conf is

listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/mqtt.atom.net/cert.pem
cafile /etc/letsencrypt/live/mqtt.atom.net/chain.pem
keyfile /etc/letsencrypt/live/mqtt.atom.net/privkey.pem

On the server run mosquitto I can successfully publish and subscribe to messages

Sub 
mosquitto_sub -h localhost -t test
hello

Pub
mosquitto_pub -h mqtt.atom.net -t test -m "hello" -p 8883 --capath /etc/ssl/certs/

From another system on the Internet (or ESP32) - I get error when trying to establish TLS connection

mosquitto_pub -h mqtt.atom.net -t test -m "hello again" -p 8883
Error: The connection was lost.

What cafile / certs do I need to pass to the mosquitto_pub?

To enable TLS in mosquitto_pub you need to pass either --capath or --cafile on the command line.

On a linux system you should be able to just pass the same --capath /etc/ssl/certs/ (assuming the distro you are on is using keeps their CA certs in the same place).

Or you can copy the chain.pem file from your broker to the other machine and use --cafile chain.pem

For something like a ESP32 you will need to work out how to include the chain.pem in the build you push to the device.