Don't try to add a Let's Encrypt certificate, you need to add the CA anyway. Just use OwnTracks' own generateCA.sh script and you'll be up and running in a minute. Stick the CA and p12 file in your phone and you're done.

Here's my modified script that produces the p12 file in the end:

https://www.pastery.net/ytyqrj/

Run it with:

./generate-CA.sh <your mosquitto hostname>

./generate-CA.sh client <your username>