Mosquitto broker TLS stopped working after update to 2.0.10


I have a mosquitto broker running fine for years on an opensuse server, including TLS.
I recently upgraded from opensuse leap 15.2 to 15.3.
Now I noticed the broker has stopped working and the reason is the TLS configuration.
If I remove it, all works fine again.
The configuration did not change during the update, only the broker version.

This is the error message I get:
Error: Unable to load server key file "/etc/letsencrypt/live/". Check keyfile.

Obviously I checked the key file:

  • The user running the broker can read it
  • start the command as root also fails
  • using the key file and cert to communicate with openssl s_client and s_server commands shows the cert and key is valid

This is the opensuse rpm version:

Is there a known bug in this version?

Here is the tls config, nothing fancy:

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/letsencrypt/live/
keyfile /etc/letsencrypt/live/
require_certificate      true
use_identity_as_username true
use_username_as_clientid true

The start command is simply
/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

Which contains just this line:
include_dir /etc/mosquitto/conf.d

which contains the above tls config

Any idea how to get this going again?

Hi joba,

Lets Encrypt certificates are not accessible to anything other than root, and since version 2 Mosquitto will not run as root when trying to read certificates.

We provide a Lets Encrypt renewal hook which will be run when new licenses are deployed by certbot. It can be used to automatically copy the new certificate and private key to an accessible location, set the required permissions, and signal the broker to reload the certificates. The script is at mosquitto/ at master · eclipse/mosquitto · GitHub

Let me know if you have any questions.



Thank you, this worked.

Anyways, I checked the ownership of the key file before and it was owned by group mosquitto that had read access (I did that). I could do a cat privkey.pem as user mosquitto without a problem. So I don’t understand, why it works now and what blocked access before. Strange…