MQTT broker Mosquitto Error with TLS configuration

Question

I'm trying to run MQTT broker (Mosquitto) with TLS support, I followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt to generate certificates and configuration. If I run

sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -d -v

It throws error in /var/log/mosquitto/mosquitto.log

mosquitto version 1.4.8 (build date Fri, 19 Feb 2016 12:03:16 +0100) starting
Config loaded from /etc/mosquitto/mosquitto.conf.
Opening ipv4 listen socket on port 8883.
Opening ipv6 listen socket on port 8883.
Error: Unable to load server key file "/etc/mosquitto/certs/mqtt_server.key". Check keyfile.

Here is my configuration in conf.d/mymqtt.conf

# MQTT over TLS/SSL
listener 8883
cafile /etc/mosquitto/ca_certificates/mqtt_ca.crt
certfile /etc/mosquitto/certs/mqtt_server.crt
keyfile /etc/mosquitto/certs/mqtt_server.key
require_certificate true
tls_version tlsv1.2
user mosquitto

And these certificate and key files are present in proper location

And here is the content of default mosquitto.conf

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d

What format are the key and certificate files in? Also does the key file have a password? — hardillb, Mar 21 '17 at 15:53

score 2 · Answer 1 · answered Mar 22 '17 at 01:15

2

I ran into the same issue once and it was because the key was password protected. I changed the file settings so that the key file was readable only by a specific set of users and removed the password.

answered Mar 22 '17 at 01:15

Khush Bhatia

498
1
4
9

I removed the password, but now mosquitto_sub is not able to connect with client certificates, I'm getting "OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca" – Kuldeep Singh Mar 22 '17 at 04:40
That could be because mosquitto_sub does not know the list of trusted certificate authorities. Put the public certificate in /etc/ssl/certs and specify the path in mosquitto_sub using --capath /etc/ssl/certs. – Khush Bhatia Mar 22 '17 at 17:44

score 2 · Answer 2 · answered May 22 '18 at 09:02

2

For posterity: You get this error if the key doesn't match the certificate also. So remember to check that:

openssl rsa -noout -in -key.pem -modulus | openssl md5

should match

openssl x509 -noout -in cert.pem -modulus | openssl md5

I spent hours trying to fix this until I realised I'd mixed up the keys.

answered May 22 '18 at 09:02

David W

21
2

Thanks! That held true for me too! However, it seems that after signing the certificate request there is no way to make the md5 match. It always seems to be different which begs how to make it work with a real CA certificate. – glades Jan 07 '21 at 17:13

MQTT broker Mosquitto Error with TLS configuration

2 Answers2