Unable to use encryption

I have MosQuiTTo installed on a Ubuntu 22 server. I’ve been able to get it to work with user name/password authentication, but not with encryption. If it matters, the digital certificate was obtained with Certbot. I’m testing it by using mosquitto_pub on the same server. The mosquitto.conf file currently looks like this:

persistence true
persistence_location /var/lib/mosquitto/
per_listener_settings true

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d

allow_anonymous false
tls_version tlsv1.2
cafile /etc/letsencrypt/live/btexeliminator.net/chain.pem
certfile /etc/letsencrypt/live/btexeliminator.net/cert.pem
keyfile /etc/letsencrypt/live/btexeliminator.net/privkey.pem
listener 8883
password_file /etc/mosquitto/passwords.txt

Here’s the mosquitto_pub command, minus the user name and password:
sudo mosquitto_pub –-cafile /etc/letsencrypt/live/btexeliminator.net/chain.pem -t ‘test/topic’ -m ‘Hello, world!’ -r -p 8883

So what happens? I get an error saying, “Unknown option ‘–-cafile’.” Using “mosquitto_pub --help” or “man mosquitto_pub” shows “–cafile” is a valid option, so why would I get this error?

Without looking deeper:
I see an extra sign in front of cafile. Is that maybe the problem? Or did that happen when you created this post?

I put 2 dashes before “cafile”.

I just tried it with a single dash before “cafile” and got the “unknown option” error, then tried it with 2 dashes and got “Protocol error”. What should I do to figure out the cause of such a vague error message?

I tried putting the “listener” line in mosquitto.conf above the lines and adding “-d” to the mosquitto_pub command. Now I’m getting “OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed”, and in the log “OpenSSL Error[0]: error:0A000126:SSL routines::unexpected eof while reading”.

Hi,

  1. mosquitto.conf
    In your mosquitto.conf you currently have configured three TLS-Options configured, but they have different meaninngs:

cafile /etc/letsencrypt/live/btexeliminator.net/chain.pem

This option will tell the broker, which ca-file should be used to validate the client CERTs. Client CERTs would offer an additional layer of security for the broker as only clients with a valid client CERT would be able to connect. But they would add an additional level of complexity as you would need to issue/update client CERTs for each client. So client CERTs are used to ensure the client identity. You should leave out this option. Otherwise the broker will expected the client to provide a client CERT, which most likely is the reason, why your connection is failing.
If you want to use client CERTs you should be aware the CA used for the client CERT signing must not overlap with the any of the server CERT CA.
The following two options are the right one to configure a server CERTS and ensure encrypted connection between client and broker.

certfile /etc/letsencrypt/live/btexeliminator.net/cert.pem
keyfile /etc/letsencrypt/live/btexeliminator.net/privkey.pem

  1. If your server CERT was created and signed by letsencrypt you normally don’t need to use a dedicated capath/cafile on the client as the root CA required to check the server CERT is already in the OS CA cert list. As you are using the port 8883 the mosquitto_pub should already try to connect using a TLS connection. If you want to make to specifiy it more explicitly you might use the --tls-use-os-certs option on the mosquitto_pub.

Thanks for the response. I commented out the “cafile” line. Now something different is happening. My mosquitto_pub command doesn’t show an error message, but also doesn’t exit. Isn’t it supposed to publish its message and exit immediately? I checked the log and the mosquitto_pub command didn’t cause anything to be logged.

Edit: It seems what I described above only happens when I use the host’s URL in the -h option. Specifying “localhost” and adding “–insecure” because the -h option didn’t match the name assigned to the certificate worked. I need it to work with the host’s URL or at least its IP address though. Might this be a firewall problem?

Hi,
using TLS/SSL you will have to specify the FQDN (full qualified host name) the same way it’s specified in the CERT. Tested it from my notebook and you server seems to be reachable and the TLS handshake is working.
mosquitto_pub -h btexeliminator.net -p 8883 -t 'test-topic' -m 'Hello' Connection error: Connection Refused: not authorised. Error: The connection was refused.
I got the expected “not authorised” mqtt errror code.

My attention was drawn to other things at work and I forgot about this thread for a while. Anyway, the command you showed in your last response yields in the following error in the log:

1733867859: New connection from 192.168.0.1:42914 on port 8883.
1733867859: OpenSSL Error[0]: error:0A000415:SSL routines::sslv3 alert certificate expired
1733867859: Client disconnected: Protocol error.

I used the update-ca-certificates command, but I still get this error.

Checked connection to you server and your CERT is no longer valid. letsencrypt CERTs are only valid for 3 month.
you will need to renew the CERT using the certbot, e.g.

sudo certbot renew

But normally the certbot should renew the CERT after 6 weeks, if the certbot is installed on the host. If you have created the CERT using a certbot in a docker container you will need to create a cron job to renew the CERT every few weeks.