Use fullchain.pem instead of cert.pem which fixes "certificate signed by unknown authority" problems. Also point cafile to correct root cert.