1

I got mosquitto working, using plain old TCP but i want to secure it using SSL and TLS, so i followed the following guide to create the certificates for my mosquitto broker:

https://mosquitto.org/man/mosquitto-tls-7.html

Then I added the following lines to the config file:

listener 8883
cafile /mqtt/certs/ca.crt
certfile /mqtt/certs/server.crt
keyfile /mqtt/certs/server.key
require_certificate false

But now when i try to use mosquitto_sub on another machine to try to connect to the mosquitto broker over port 8883 (TLS), i get the following error on the broker

New connection from XX.XXX.XXX.XXX on port 8883.
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client <unknown>, disconnecting.

I've tried doing the mosquitto_sub the following ways:

$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --cert client.crt --key client.key

And the certificates on the client side were generated based on the first link i mentioned earlier.

Anyone know why this is happening and how I can go about fixing it?

Aadesh
  • 162
  • 1
  • 8

2 Answers2

4

This is the good way to subscribe as you do not require client certificate :

 mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt

It seems that the client fail to verify the server certificate. You should make sure that :

  • ca.crt is the same on client and server side
  • the common name of your server certificate corresponds to its hostname

Also check if you have the same openssl version on server and client side as this error could also happen if client and server do not use a common protocol or do not share any cypher

hope it could help, else I will be interested to know how you solved this problem

Sophie Jacquin
  • 194
  • 2
  • 10
  • I have the same problem, but my broker is on AWS EC2 and therefore the hostname changes all the time. Using it as the Common Name does not make sense. Are there any other ways fixing the problem? – Nazar Feb 26 '18 at 16:57
  • @Nazar if you are using AWS then use route 53 to assing the ip a name and then use LB to connect with it – LumbusterTick Mar 12 '21 at 08:45
2

Try --insecure option.

mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --insecure
karmax
  • 171
  • 2
  • 13
  • This should be only used when testing as it skips the server cert verification, effectively making the communication as good as unencrypted. – jiroch Feb 07 '22 at 17:00