Mosquitto broker TLS stopped working after update to 2.0.10

joba1 · March 23, 2022, 6:39pm

Hi,

I have a mosquitto broker running fine for years on an opensuse server, including TLS.
I recently upgraded from opensuse leap 15.2 to 15.3.
Now I noticed the broker has stopped working and the reason is the TLS configuration.
If I remove it, all works fine again.
The configuration did not change during the update, only the broker version.

This is the error message I get:
Error: Unable to load server key file "/etc/letsencrypt/live/banzhaf.chickenkiller.com/privkey.pem". Check keyfile.

Obviously I checked the key file:

The user running the broker can read it
start the command as root also fails
using the key file and cert to communicate with openssl s_client and s_server commands shows the cert and key is valid

This is the opensuse rpm version:
mosquitto-2.0.10-bp153.1.1.x86_64

Is there a known bug in this version?

Here is the tls config, nothing fancy:

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/letsencrypt/live/banzhaf.chickenkiller.com/fullchain.pem
keyfile /etc/letsencrypt/live/banzhaf.chickenkiller.com/privkey.pem
require_certificate      true
use_identity_as_username true
use_username_as_clientid true

The start command is simply
/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

Which contains just this line:
include_dir /etc/mosquitto/conf.d

which contains the above tls config

Any idea how to get this going again?

roger.light · March 23, 2022, 8:00pm

Hi joba,

Lets Encrypt certificates are not accessible to anything other than root, and since version 2 Mosquitto will not run as root when trying to read certificates.

We provide a Lets Encrypt renewal hook which will be run when new licenses are deployed by certbot. It can be used to automatically copy the new certificate and private key to an accessible location, set the required permissions, and signal the broker to reload the certificates. The script is at mosquitto/mosquitto-copy.sh at master · eclipse/mosquitto · GitHub

Let me know if you have any questions.

Regards,

Roger

joba1 · March 23, 2022, 8:55pm

Thank you, this worked.

Anyways, I checked the ownership of the key file before and it was owned by group mosquitto that had read access (I did that). I could do a cat privkey.pem as user mosquitto without a problem. So I don’t understand, why it works now and what blocked access before. Strange…

Topic		Replies	Views
SSL issues from updated OpenWRT box Mosquitto MQTT Broker	1	185	February 25, 2024
`no shared cipher` with Tasmota/Mosquitto compiled from source Mosquitto MQTT Broker	2	377	November 16, 2021
Still being able to connect to broker after enabling require_certificate Community Q&A	3	3828	August 18, 2021
Difficulties with running Mosquitto with TLS Community Q&A	0	279	June 21, 2023
Mosquitto broker WSS connection not working Community Q&A	2	831	December 7, 2021

Mosquitto broker TLS stopped working after update to 2.0.10

Related topics