Still being able to connect to broker after enabling require_certificate

Hello all,

This is my first time trying to setup a MQTT broker using mosquitto. I’ve gone through the steps of creating certificates using this guide: Some Notes on setting up MQTT over TLS - Raspberry Pi Forums

It all worked fine, but when adding require_certificate true in the mosquitto config, I could still connect without using TLS. If I need to provide any more information, please tell so.


It’s a pretty good overview on that page. I’ve just tested this myself and it worked exactly as I expected, so let me explain what I did so we can find out what is different.

I’m using mosquitto 2.0.11, and I’m using certificates that are in the mosquitto repository so I don’t need to worry about generating them myself. The certificates are only useful when working on a single computer, but that’s fine here.

My configuration file is:

listener 8883
cafile test/ssl/all-ca.crt
certfile test/ssl/server.crt
keyfile test/ssl/server.key
require_certificate true
# To make testing a little simpler:
allow_anonymous true

The certificates are in the test/ssl directory of the mosquitto source, I’m going to be running mosquitto from the root directory of the mosquitto source:

cd /path/to/source
mosquitto -c test.conf -v

Now I’ll try to connect with mosquitto_sub. First without specifying our CA certificate (because we’re using port 8883, mosquitto_sub will default to using TLS in version 2.0 and later, in earlier versions it would not use TLS unless explicitly told to).

$ mosquitto_sub -p 8883 -t topic -d
Client (null) sending CONNECT
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.

As expected, the client rejected our custom certificate.

Now trying with the CA certificate (which is at test/ssl/all-ca.crt):

$ mosquitto_sub -p 8883 -t asdf -d --cafile test/ssl/all-ca.crt 
Client (null) sending CONNECT
OpenSSL Error[0]: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required
Error: The connection was lost.

This gives the error I’d expect - the server is rejecting the connection because the client isn’t providing a certificate.

Now trying with a certificate:

$ mosquitto_sub -p 8883 -t asdf -d --cafile test/ssl/all-ca.crt --cert test/ssl/client.crt --key test/ssl/client.key 
Client (null) sending CONNECT
Client (null) received CONNACK (0)
Client (null) sending SUBSCRIBE (Mid: 1, Topic: asdf, QoS: 0, Options: 0x00)
Client (null) received SUBACK
Subscribed (mid: 1): 0

And it succeeds.

Please take a look and see where your configuration differs. If there’s something that doesn’t make sense I’d be happy to hear about it so we can improve things for other people.




I’m very sorry for the late reply, this was because I was on vacation and unable to proceed. I’ve tried what you did, and it worked! Although I’m pretty new to the whole thing of setting up certificates, and there’s something I don’t quite understand. I’m trying to setup this broker for a project called Owntracks. It’s a tool to share your location with other people, through the MQTT broker. In the app, to enable TLS, you need to specify the following: CA certificate, Client certificate, and Client certificate password. The first one I do understand, that’s the CA certificate which contains no sensitive information should be generating a CA certificate, which the mosquitto-tls manual tells you how to do. If I’m correct this should also be the cafile in the .conf file on the broker. Then on the manual, it creates a server.key file, creates a signing request, and the CA signs that request and the output is server.crt, the server certificate. So, certfile should be server.crt, and keyfile should be server.key. Then when moving to the client, basically the same thing happens as the steps with the server, first a key is made, then a signing request is made, then the CA signs it and the output is the client certificate. So I just need to put the client.crt file on the OwnTracks app (and the client certificate password being the optional password you can set), and then it should have a connection via TLS? Sorry for this large message, I just want to make sure I understand how it works, and make sure not to make any errors.

Kind regards,

Yes, your understanding is correct. Just to be extra clear, the CA certificate on the broker is used to verify the client certificates, and the CA certificate on the client is used to verify the broker certificates. They don’t actually need to be the same CA certificates.

The owntracks project has a nice script that can generate certificates for you:



1 Like