-1

How can Mosquitto (The version integrated into Home Assistant) be configured to connect as Bridge to a remote broker using only the "CA signed server certificate" option (like MQTT.fx does) with a Let's encrypt certificate?

E.g. http://mqttfx.jensd.de/ has this option in the connection settings and the connection to the broker works fine:

enter image description here

The configuration looks like this:

connection bridge-01
 log_type all
 require_certificate false
 cleansession true
 try_private true
 bridge_protocol_version mqttv311
 bridge_insecure false
 bridge_cafile /etc/ssl/letsencrypt.crt
 address mycompany.com:8883
 remote_clientdid raspi_test
 remote_username raspi
 remote_password password
 topic # out 0

Just as hints:

  • Adding the Let's Encrypt root certificate or Let's Encrypt Authority X3 certificate (https://letsencrypt.org/certificates/) as bridge_cafile fails with a certificate validation error or with socket error on client raspi.local....
  • Home assistant is run on a Raspberry Pi 4 (Just for completeness reasons)
  • Mqtt broker version is Mosquitto 5.1 (Home assistant plugin)
  • The connection (clientid, username and password) is ok, works with MQTT.fx
FranzHuber23
  • 3,311
  • 5
  • 24
  • 63

1 Answers1

1

Using bridge_capath /etc/ssl/certs/ instead of bridge_cafile /etc/ssl/letsencrypt.crt worked for us.

There are already a lot of pre-installed trusted certificates and the added ones (Let's Encrypt root certificate or Let's Encrypt Authority X3 certificate) in the folder.

A good link to another question explaining this (also it didn't help me), is bridge local mosquitto to cloud broker.

FranzHuber23
  • 3,311
  • 5
  • 24
  • 63
  • 1
    Do you mean `bridge_capath` not `bridge_cafile`? The problem with the `letsencrypt.crt` is that it probably doesn't contain the full chain. – hardillb Jun 18 '20 at 13:57
  • @hardillb Sorry for the spelling issue. And yes, that was exactly the problem. – FranzHuber23 Jun 18 '20 at 17:05