I’m stuck trying to setup my mosquitto broker to work with secured web sockets in my local private network. It’s intalled in a windows server host. I’ve tryed to create own self-signed certificates with openssl and I did successfully connect a client, but not a websocket client via an angular app.
The angular app is not the problem because it can connect to the test.mosquitto broker over ssl.
If anyone could give me some tips on how to create this self made certificates to work with a private ip address and be able to connect a client via web socket, it would be awesome.
My first instinct is that the angular app isn’t trusting the self-signed certificate. Does it have the option to add extra certificates to trust, or to (temporarily) not validate the server certificate?
Alternatively, it could be that the hostname in the certificate doesn’t match the one you are trying to connect to, which will also cause validation errors. That’s probably the most common difficulty I’ve seen people having.
Just to be sure - could you share your mosquitto config to make sure there isn’t anything off with it?
The package that I’m using to manage the mosquitto connection doesn’t have the ability to set up a certificate. But I’ve installed the certificate manually in the client’s computer and the error that I get is
net::ERR_CERT_COMMON_NAME_INVALID
I think it is that I’m not creating a valid certificate with my private IP address. Creating a domain is not an option.
You’ve already hit on the right answer. The client is (correctly) rejecting the certificate because the host/ip address doesn’t match the commonName part of the certificate.
There is a way around this, you can generate certificates with multiple subjectAltName entries instead of a commonName and they will be used for verification. It is allowed to put IP addresses in the subjectAltName entries as well as host names.
There is a script at https://raw.githubusercontent.com/owntracks/tools/master/TLS/generate-CA.sh that will generate a CA, plus server certificate and keys for you - including subjectAltName. It is written for Unix systems, but it really only makes use of the openssl tool, so it should be possible to achieve the same effect on Windows with a bit of effort.
Thanks for the tips. Does the config file look good? I’m struggling to generate a valid certificate with this script because my Linux skills are a little bit rusty. I will answer If i achieved something.
Yes the config looks fine. I started to try to convert the script to something usable on Windows then realised it’s quite a big task actually. I’m not sure what to suggest for it.