I have a MQTT server and wanted to start using SSL instead of plain MQTT. I configured the server correctly to use my wildcard certificate but it won't work without the --capath /etc/ssl/certs option. Additionally, my ZwaveJS2MQTT instance will not work over SSL (probably because of the missing certification path). I am using the wildcard certificate on multiple servers (Debian, OpenVPN...) and have never encountered such issue.
On the subscriber side:
pi@raspi1:~ $ mosquitto_sub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave"
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
^C
pi@raspi1:~ $ mosquitto_sub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" --capath /etc/ssl/certs
Client mosqsub|29078-raspi1.sm sending CONNECT
Client mosqsub|29078-raspi1.sm received CONNACK (0)
Client mosqsub|29078-raspi1.sm sending SUBSCRIBE (Mid: 1, Topic: zwave, QoS: 0)
Client mosqsub|29078-raspi1.sm received SUBACK
Subscribed (mid: 1): 0
Client mosqsub|29078-raspi1.sm received PUBLISH (d0, q0, r0, m0, 'zwave', ... (4 bytes))
test
^C
On the publisher side:
pi@raspi1:~ $ mosquitto_pub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" -m "test"
Client mosqpub|29067-raspi1.sm sending CONNECT
Error: The connection was lost.
pi@raspi1:~ $ mosquitto_pub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" -m "test" --capath /etc/ssl/certs
Client mosqpub|29069-raspi1.sm sending CONNECT
Client mosqpub|29069-raspi1.sm received CONNACK (0)
Client mosqpub|29069-raspi1.sm sending PUBLISH (d0, q0, r0, m1, 'zwave', ... (4 bytes))
Client mosqpub|29069-raspi1.sm sending DISCONNECT
When running a test on my wildcare certificate, I see the following errors:
Certificates provided 3 (3600 bytes)
Chain issues Incorrect order, Contains anchor
#2
Subject GlobalSign Root CA In trust store
...
Valid until Fri, 28 Jan 2028 12:00:00 UTC (expires in 6 years and 5 months)
Key RSA 2048 bits (e 65537)
Issuer GlobalSign Root CA Self-signed
Signature algorithm SHA1withRSA Weak, but no impact on root certificate
#3
Subject AlphaSSL CA - SHA256 - G2
...
Valid until Tue, 20 Feb 2024 10:00:00 UTC (expires in 2 years and 6 months)
Key RSA 2048 bits (e 65537)
Issuer GlobalSign Root CA
Signature algorithm SHA256withRSA
The certification path shows this:
Path #1: Trusted
1 Sent by server *.hostname.com
...
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server AlphaSSL CA - SHA256 - G2
...
RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server
In trust store GlobalSign Root CA Self-signed
...
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
From the moquitto_pub/mosquitto_sub man page:
The mosquitto command line tools do not have a default CA certificate source, so to enable TLS based connections you MUST provide a path to either a CA cert file or a directory of CA cert files.
And if providing a path to a directory of CA certs it must be prepared with the following: