Configurate Mosquitto Broker to work over ssl inside a local private network

Hi everyone,

I’m stuck trying to setup my mosquitto broker to work with secured web sockets in my local private network. It’s intalled in a windows server host. I’ve tryed to create own self-signed certificates with openssl and I did successfully connect a client, but not a websocket client via an angular app.

The angular app is not the problem because it can connect to the test.mosquitto broker over ssl.

If anyone could give me some tips on how to create this self made certificates to work with a private ip address and be able to connect a client via web socket, it would be awesome.

Thanks devs!

Hi Rob,

My first instinct is that the angular app isn’t trusting the self-signed certificate. Does it have the option to add extra certificates to trust, or to (temporarily) not validate the server certificate?

Alternatively, it could be that the hostname in the certificate doesn’t match the one you are trying to connect to, which will also cause validation errors. That’s probably the most common difficulty I’ve seen people having.

Just to be sure - could you share your mosquitto config to make sure there isn’t anything off with it?

Regards,

Roger

Hi Roger,

My mosquitto.conf file looks like this.


allow_anonymous true

listener 9001

protocol websockets

listener 1883

protocol mqtt

listener 8883

protocol mqtt

cafile C:\Program Files\mosquitto\certs\serverCA.crt 

certfile C:\Program Files\mosquitto\certs\server.crt

keyfile C:\Program Files\mosquitto\certs\server.key

tls_version tlsv1.2

require_certificate false

listener 8884

protocol websockets

cafile C:\Program Files\mosquitto\certs\serverCA.crt 

certfile C:\Program Files\mosquitto\certs\server.crt

keyfile C:\Program Files\mosquitto\certs\server.key

tls_version tlsv1.2

require_certificate false

The package that I’m using to manage the mosquitto connection doesn’t have the ability to set up a certificate. But I’ve installed the certificate manually in the client’s computer and the error that I get is

net::ERR_CERT_COMMON_NAME_INVALID

I think it is that I’m not creating a valid certificate with my private IP address. Creating a domain is not an option.

thanks.

Hi Rob,

You’ve already hit on the right answer. The client is (correctly) rejecting the certificate because the host/ip address doesn’t match the commonName part of the certificate.

There is a way around this, you can generate certificates with multiple subjectAltName entries instead of a commonName and they will be used for verification. It is allowed to put IP addresses in the subjectAltName entries as well as host names.

There is a script at https://raw.githubusercontent.com/owntracks/tools/master/TLS/generate-CA.sh that will generate a CA, plus server certificate and keys for you - including subjectAltName. It is written for Unix systems, but it really only makes use of the openssl tool, so it should be possible to achieve the same effect on Windows with a bit of effort.

Does that help?

Regards,

Roger

Hello Roger,

Thanks for the tips. Does the config file look good? I’m struggling to generate a valid certificate with this script because my Linux skills are a little bit rusty. I will answer If i achieved something.

Thanks.

Hi Rob,

Yes the config looks fine. I started to try to convert the script to something usable on Windows then realised it’s quite a big task actually. I’m not sure what to suggest for it.

Regards,

Roger