I have MosQuiTTo installed on a Ubuntu 22 server. I’ve been able to get it to work with user name/password authentication, but not with encryption. If it matters, the digital certificate was obtained with Certbot. I’m testing it by using mosquitto_pub on the same server. The mosquitto.conf file currently looks like this:
Here’s the mosquitto_pub command, minus the user name and password:
sudo mosquitto_pub –-cafile /etc/letsencrypt/live/btexeliminator.net/chain.pem -t ‘test/topic’ -m ‘Hello, world!’ -r -p 8883
So what happens? I get an error saying, “Unknown option ‘–-cafile’.” Using “mosquitto_pub --help” or “man mosquitto_pub” shows “–cafile” is a valid option, so why would I get this error?
I just tried it with a single dash before “cafile” and got the “unknown option” error, then tried it with 2 dashes and got “Protocol error”. What should I do to figure out the cause of such a vague error message?
I tried putting the “listener” line in mosquitto.conf above the lines and adding “-d” to the mosquitto_pub command. Now I’m getting “OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed”, and in the log “OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading”.
This option will tell the broker, which ca-file should be used to validate the client CERTs. Client CERTs would offer an additional layer of security for the broker as only clients with a valid client CERT would be able to connect. But they would add an additional level of complexity as you would need to issue/update client CERTs for each client. So client CERTs are used to ensure the client identity. You should leave out this option. Otherwise the broker will expected the client to provide a client CERT, which most likely is the reason, why your connection is failing. If you want to use client CERTs you should be aware the CA used for the client CERT signing must not overlap with the any of the server CERT CA.
The following two options are the right one to configure a server CERTS and ensure encrypted connection between client and broker.
If your server CERT was created and signed by letsencrypt you normally don’t need to use a dedicated capath/cafile on the client as the root CA required to check the server CERT is already in the OS CA cert list. As you are using the port 8883 the mosquitto_pub should already try to connect using a TLS connection. If you want to make to specifiy it more explicitly you might use the --tls-use-os-certs option on the mosquitto_pub.
Thanks for the response. I commented out the “cafile” line. Now something different is happening. My mosquitto_pub command doesn’t show an error message, but also doesn’t exit. Isn’t it supposed to publish its message and exit immediately? I checked the log and the mosquitto_pub command didn’t cause anything to be logged.
Edit: It seems what I described above only happens when I use the host’s URL in the -h option. Specifying “localhost” and adding “–insecure” because the -h option didn’t match the name assigned to the certificate worked. I need it to work with the host’s URL or at least its IP address though. Might this be a firewall problem?
Hi,
using TLS/SSL you will have to specify the FQDN (full qualified host name) the same way it’s specified in the CERT. Tested it from my notebook and you server seems to be reachable and the TLS handshake is working. mosquitto_pub -h btexeliminator.net -p 8883 -t 'test-topic' -m 'Hello' Connection error: Connection Refused: not authorised. Error: The connection was refused.
I got the expected “not authorised” mqtt errror code.