1

I'm building a mqtt server. I used the mosquitto with the TLS on the server as a broker.

I encountered this problem: I created the ca.crt, server certificate, server key, client certificate, client key via generate-CA.sh

I can connect the broker and publish and subscribe msg via MQTT.fx, but when I tried to connect the broker with the mosquitto_sub, it came out Error:A TLS error occurred on the client PC(ubuntu), at the same time, the server prints

New connection from xx.xx.xx.xx on port 8883.
Openssl Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Openssl Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

my command used is:

mosquitto_sub -p 8883 -i test -t mqtt -h 150.xx.xx.xx --cafile ca.crt --cert xx.crt --key xx.key in which, the 150.xx.xx.xx is the IP of my broker.

when I used the option --insecure with the command above, the problem disappeared. so I think it is the server hostname which leads to this problem. In the mosquitto_sub command the option -h specifies the hostname, but i need to use this parameter to point to the IP address of my broker, so how could i specify the hostname of my server??

declension
  • 4,110
  • 22
  • 25
Bingoal Lee
  • 61
  • 1
  • 4

1 Answers1

0

Old question but perhaps this might help someone:

If the --insecure option makes it work, you have a certificate problem. What hostname did you set whilst signing the certificate? What does openssl s_client -showcerts -connect 150.xx.xx.xx:8883 say?

Related: although it should be possible to use SSL certs for your servers using public IP addresses (see Is it possible to have SSL certificate for IP address, not domain name?), I'd recommend not doing this and just using DNS, even if this means server.localdomain and/or editing your /etc/hosts file if necessary.

declension
  • 4,110
  • 22
  • 25