DEVHIDE
Login Or Sign up

Issues with MQTTS/SSL certificates (Error when connecting to MQTTS)

84 Views Asked by At

My team and I are working on a IOT home automation system. It is crucial for our system to handle realtime updates and dependencies between devices through the mqtt protocol. Everything seemed to work just fine, before we decided to move to MQTTS. We issued the SSL certificate with the help of Ngix Proxy Manager, after inserting the letsencrypt directory to the docker compose file and running it, the broker persistently rejects connections.

When checking the mosquitto-log, I get an output of: Certificate Verify error

Docker-compose.yml :

version: "3.7"
services: 
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
  pyth:
    image: 'foxide123/prediction-model-image:1.2'
    restart: always
    ports:
      - '5000:5000'
    volumes:
      - ./letsencrypt:/etc/letsencrypt
  mqtt:
    container_name: ohmio_mqtt
    image: ohmio_mqtt_image
    restart: always
    volumes:
      - ./mosquitto.conf:/mosquitto/config/mosquitto.conf
      - ./pwfile:/mosquitto/config/pwfile
      - ./data:/mosquitto/data/
      - ./letsencrypt:/mosquitto/certificates 
      - ./log:/mosquitto/log
    ports:
      - "8883:8883"

The mosquitto-conf file (/etc/mosquitto/mosquitto.config) :

listener 8883 0.0.0.0

certfile /mosquitto/certificates/live/npm-3/fullchain.pem
keyfile /mosquitto/certificates/live/npm-3/privkey.pem

allow_anonymous false
password_file /mosquitto/config/pwfile/passwd

persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
log_type all
require_certificate true

Configuration file for Ngix:

server{
  listen 8883;
  server_name mqtt.ohmio.org
  ssl_certificate nginx_npm/letsencrypt/live/npm-3/fullchain.pem
  ssl_certficiate nginx_npm/letsencrypt/live/npm-3/privkey.pem
  ssl_protocols TLSv1.2 TLSv1.3;
}

At first I tried to directly generate cerificate through "letsencrypt", the error I got was: Certificate Verify error Later one I decided to use Ngix proxy manager for generating the certificates, the error presisted the same.

docker ssl-certificate mqtt lets-encrypt letsencrypt-nginx-proxy-companion
Original Q&A
1

There are 1 best solutions below

0
hardillb On

The problem is require_certificate true

From the mosquitto.conf man page

require_certificate [ true | false ]

By default an SSL/TLS enabled listener will operate in a similar fashion to a https enabled web server, in that the server has a certificate signed by a CA and the client will verify that it is a trusted certificate. The overall aim is encryption of the network traffic. By setting require_certificate to true, a client connecting to this listener must provide a valid certificate in order for the network connection to proceed. This allows access to the broker to be controlled outside of the mechanisms provided by MQTT.

This is saying the clients MUST supply a client certificate to identify themselves to the broker when opening the connection.

This option requires a matching cafile or capath entry which points to the CA certificate that issued the clients certificates so they can be verified.

In this case it looks like you are using username/passwords to authenticate/identify clients not client certificates so you need to remove the require_certificate true option from the mosquitto.conf

Related Questions in DOCKER

Related Questions in SSL-CERTIFICATE

Related Questions in MQTT

Related Questions in LETS-ENCRYPT

Related Questions in LETSENCRYPT-NGINX-PROXY-COMPANION

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.