1

I have a emqx mqtt broker running on EC2 and the ssl and wss configuration looks like this -

listener.ssl.external = 8883
listener.ssl.external.keyfile = /etc/emqx/certs/key.pem
listener.ssl.external.certfile = /etc/emqx/certs/cert.pem
listener.ssl.external.cacertfile = /etc/emqx/certs/cacert.pem

listener.ws.external = 8083

listener.wss.external = 8084
listener.wss.external.keyfile = /etc/emqx/certs/key.pem
listener.wss.external.certfile = /etc/emqx/certs/cert.pem
listener.wss.external.cacertfile = /etc/emqx/certs/cacert.pem
listener.wss.external.verify = verify_none
listener.wss.external.fail_if_no_peer_cert = false

When I try to connect to broker using emqx dashboard(hosted on http) without ssl(ws://IP:8083/mqtt), it works fine but when I use emqx dashboard(hosted on https) with ssl(wss://IP:8084/mqtt), it doesn't connect. How to connect to broker through https on wss?

Edit: I want one way authentication. I will be connecting to the broker from React Web app and also through NodeJS app. So, I don't want to provide certificate from client side. The certificates I am using are the ones provided by EMQX installation. Also, I am using the client certificates provided by EMQx for https ssl. And if the browser is opening the https without any warning, it should also be able to connect to websocket.

Bharat Chhabra
  • 1,686
  • 2
  • 14
  • 20
  • Edit the question to show the code you are using to connect. Is this code running in the browser, if so are you using a "real" certificate or a self-signed one? – hardillb Mar 08 '20 at 18:12
  • I am using the dashboard provided by emqx which is available on the port 18083. And I generated a self-signed certificate to run dashboard on https. – Bharat Chhabra Mar 08 '20 at 19:49
  • Please [EDIT](https://stackoverflow.com/posts/60589889/edit) the question to add more detail. Have you imported the self-signed certificate into the browsers trust store (not just accepted it for the connection)? – hardillb Mar 08 '20 at 20:16

2 Answers2

1

Websocket connections have no way to present the same warning about untrusted certificates that you get when you visit webpage.

This means there is no way to tell the browser to trust the connection. If you want to use self-signed certificates then you need to import them into the browsers trust store so they are explicitly trusted.

The other option is to use something like LetsEncrypt to get a real certificate that the browser will already trust.

hardillb
  • 54,545
  • 11
  • 67
  • 105
  • I am using the client certificates provided by EMQx for https ssl. And if the browser is opening the https without any warning, it should also be able to connect to websocket. – Bharat Chhabra Mar 08 '20 at 20:25
  • Are you sure you are using the same certificate for both the https and wss on the broker (not client certificates)? – hardillb Mar 08 '20 at 20:30
  • See, when one installs emqx, it provides 5 pem files. cacert.pem, cert.pem, key.pem, client-cert.pem, client-key.pem. Now, emqx is using the first 3 files in its conf and apache is using client-cert.pem and client-key.pem as ssl certificate and key. When I open the domain where broker dashboard is hosted, it opens up without any warning for the ssl certificate and shows the `connection secure` sign. So, that means the browser was able to identify the certificate. If that's the case then websocket should also be able to allow the connection. – Bharat Chhabra Mar 08 '20 at 20:37
0

Either the certificate needs to be issued by Ca so that the browser can automatically verify it. Note that the certificate is the same as the domain.

Or the certificate needs to be in the browser (self signed certificate).

Or you have trusted the validation error.

Open with browser:

https://localhost:8084/mqtt

A trust error will pop up. On this error page, click trust, and then:

wss://localhost:8084/mqtt

It's OK.

wivwiv
  • 255
  • 1
  • 3
  • I am using a subdomain to access broker. So, should I add the subdomain while generating certificate or the domain will work? – Bharat Chhabra Apr 18 '20 at 09:32