MQTT broker TLS configuration - unknown error


For a project where we’d like to communicate with an S7-1500 Siemens PLC to an historian over MQTT.
The broker is configured and running on a VMWare.
It is working fine using a user/password setup. When trying TLS, it won’t work.

To use TLS, I configured a CA to make a CA.crt, Server.crt and a Server.key using OpenSSL. I will not be using client certificates; server certification is enough.
While creating the server.crt, I specified the common name as the IP address of the VMWare.

In the mosquito.conf, I specified the cafile, keyfile and certfile as well as the listener 8883.
I suppose that tls-version 1.2 is default?

When testing the connection and trying to publish something using the terminal as a client, it replies with an ‘Unknown error’ after giving ‘Client null sending CONNECT”.
Although I’m giving the parameter cafile as well.

I also tried to specify the common name as the system name, but this doesn’t seem to work either.

Are there any problems I need to be aware of when modifying the mosquito.conf?
Because of the unknown error, is it hard to find my fault.

Thank you in advance!

Kind regards,

Current mosquitto version will allow TLS 1.2 and 1.3 connection, if not specified using tls_version in the mosquitto.conf.

What you describe sounds like you are using a self-signed certificate. In this case you have to make sure the CA.crt is used by the client to verify the server identity. As you server CERT is not signed by any well-know root CA.
As I don’t know what kind of MQTT client we are talking about it’s hard to decide, if the CA.crt is in the right format to be used by this client.
THe second problem might be the CN name of the server CERT. By default most TLS based clients will verify the server identity by comparing the CN with the host specified in the connect of the client. E.g. if you client connects to the MQTT broker using the name the client will check, if the CN of the server CERT is as well.

To get more details about the reason for you problem it might be helpfull to disable the server identity check for a first test. Some TLS implementation allow to disable the server identity check. But you would need to fix the CN and should enable the server identity later to reduce the risk.

Another option would be to use the openssl tools to verify the TLS connection is working. E.g. for the sever you are able to check the connection by using:
openssl s_client -showcerts -connect

For your self signed CERT you would need to add the CA.crt to the openssl client invokation:
openssl s_client -CAfile CA.crt -showcerts -connect myserver.mydomain:8883

This way you should be able to check your server TLS setup independent on the MQTT client to be used.