Mosquitto certificate verify failed with protocol error - ssl

I'm having trouble setting up mosquitto to encrypt over SSL/TLS. I have followed the instructions of mosquitto to generate the certificate and key. The code used is as follows:
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.crt.crt
openssl genrsa -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt.crt -CAkey ca.key -CAcreateserial -out
server.crt.crt -days 3650
Then I configured in mosquitto.conf as follows:
listener 8883
allow_anonymous true
cafile d:\etc\mosquitto\ca_certificates\ca.crt.crt
certfile d:\etc\mosquitto\certs\server.crt.crt
keyfile d:\etc\mosquitto\certs\server.key
Then I used the code
mosquitto -v -c mosquitto.conf
The results of running mosquitto are as follows:
D:\etc\mosquitto>mosquitto -v -c mosquitto.conf
1663109874: mosquitto version 2.0.15 starting
1663109874: Config loaded from mosquitto.conf.
1663109874: Opening ipv6 listen socket on port 8883.
1663109874: Opening ipv4 listen socket on port 8883.
1663109874: mosquitto version 2.0.15 running
But I have a problem when I want to try to make the subscribe and publish commands.I ran the following code:
mosquitto_sub -d -v -h 91.121.93.94 -p 8883 -t test --cafile d:\etc\mosquitto\ca_certificates\ca.crt.crt
91.121.93.94 is the Common Name I set to generate the server key.Then I got the error as below:
Client null sending CONNECT
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: protocol error
I don't know where I am going wrong or if I have not configured something in mosquitto.conf.

Related

Mosquitto server conf for using PFX certificate

I had been able to get TLS connection with mosquitto and using CA.crt, server.crt, server.key plus client.crt and client.key. I been able to sub and pub no problem using MQTTfx and just command lines. below is my full setting for anyone who needs it, and I am looking for some help to use pfx certs.
I am asked to figure out how to sub and pub to the broker using PFX client cert(contains client.crt and client.key) along with ca.crt, which I don't see as option to MQTTfx 1.7 or in CMD examples I can find online. Wondering anyone had this experience using PFX that can enlighten me with broker settings and sub examples.
Broker setting:
listener 8883
log_type error
log_type notice
log_type information
log_type debug
require_certificate true
use_identity_as_username true
cafile C:\Program Files\mosquitto\cert\ca.crt
keyfile C:\Program Files\mosquitto\cert\server.key
certfile C:\Program Files\mosquitto\cert\server.crt
Subscription command line
mosquitto_sub -h 192.167.41.17 -t home/garden/fountain --cafile "C:\ca.crt" --cert "C:\client.crt" --key "c:\client.key" -d -p 8883
Certificates used in this project is self signed:
To create CA:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
To create server:
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
To create client:
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360
To create the pfx:
openssl pkcs12 -export -out certbag.pfx -inkey client.key -in client.crt -in
mosquitto_pub & mosquitto_sub will only accept PEM encoded files for all certificates/key. There is no way directly use a PKCS12 (.p12 or .pfx) certificate store/bundle with these tools.
If version v1.7 of MQTT.fx (given the latest version if v5.0) also doesn't support being passed a PKCS12 bundle then there is no magic way you can make it, your only option is to use openssl to break it up into it's parts (cert, key and ca cert) encoded in PEM format and pass those files.

Mosquitto with MQTTS and WSS in the same broker

I am trying to set up a Mosquitto broker using secure connection.
I was able to configure and make it work correctly with MQTTS, I was able to test using my ESP32 and MQTTBox
Now I am trying to use a websocket to connect a web application but I believe that I am failing in some Mosquitto configuration.
For MQTTS I used "CA signed server certificate" and port 8083 and everything worked fine with MQTTBox and ESP32.
I spent the whole weekend researching and trying different configurations but I was unable to make the connection work in both ways. Can someone help me? Thanks!
# First of all, use this options on mosquitto.conf
per_listener_settings true
allow_anonymous false
password_file /usr/local/etc/mosquitto/pwfile.conf
# Rules for access topics
acl_file /usr/local/etc/mosquitto/aclfile.conf
# Now, use this options on mosquitto.conf
listener 8883
cafile /usr/local/etc/mosquitto/certs/ca.crt
certfile /usr/local/etc/mosquitto/certs/server.crt
keyfile /usr/local/etc/mosquitto/certs/server.key
listener 8083
websockets
cafile /usr/local/etc/mosquitto/certs/ca.crt
certfile /usr/local/etc/mosquitto/certs/server.crt
keyfile /usr/local/etc/mosquitto/certs/server.key
EDIT, this is the Mosquitto log:
1621899173: mosquitto version 2.0.10 starting
1621899173: Config loaded from /usr/local/etc/mosquitto/mosquitto.conf.
1621899173: Opening ipv6 listen socket on port 8883.
1621899173: Opening ipv4 listen socket on port 8883.
1621899173: Opening websockets listen socket on port 8083.
1621899173: mosquitto version 2.0.10 running
1621899174: Sending CONNACK to ::ffff:192.168.15.2 (0, 5)
1621899174: Client <unknown> closed its connection.
1621899176: Sending CONNACK to ::ffff:192.168.15.2 (0, 5)
1621899176: Client <unknown> closed its connection.
1621899177: Sending CONNACK to ::ffff:192.168.15.2 (0, 5)
1621899177: Client <unknown> closed its connection.
EDIT, I used this commands to create the certificate:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
openssl x509 -in server.crt -sha1 -noout -fingerprint
From the mosquitto.conf man page
protocol value
Set the protocol to accept for the current listener. Can be mqtt, the default, or websockets if available.
Websockets support is currently disabled by default at compile time. Certificate based TLS may be used with websockets, except that
only the cafile, certfile, keyfile, ciphers, and ciphers_tls1.3
options are supported.
Not reloaded on reload signal.
Your Websockets listener should look like this;
listener 8083
protocol websockets
cafile /usr/local/etc/mosquitto/certs/ca.crt
certfile /usr/local/etc/mosquitto/certs/server.crt
keyfile /usr/local/etc/mosquitto/certs/server.key

Getting error message when I use SSL on my server running Mosquitto?

I have implemented the mosquitto broker for ubuntu on port 8883 and port 1883 and can't figure out why I keep getting the CA related errors shown below.
It happens when I test it using mosquitto_pub locally on the server and when I use the Paho/Python script as the client on my MacBook. My mosquitto.config file, mosquitto_pub command, and my mosquitto log messages are shown below. I've also included my openssl certificate creation commands in case I did something wrong.
This is my mosquitto.conf file
# Place your local configuration in /etc/mosquitto/conf.d/
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
#log_dest file /var/log/mosquitto/mosquitto.log
log_dest stdout
include_dir /etc/mosquitto/conf.d
log_type all
#-----------------------------------------------
#Default Listener
#-----------------------------------------------
port 8883
#------------------------------------------------
#Certificate Based SSL/TLS Support
#------------------------------------------------
cafile /../etc/mosquitto/ca_certificates/ca.crt
keyfile /../etc/mosquitto/certs/server.key
certfile /../etc/mosquitto/certs/server.crt
listener 1883
This is the mosquitto_pub command I use to test it.
sudo mosquitto_pub -h 305.875.987.34 -t test -m "Typing this" -p 8883 --cafile /../etc/mosquitto/ca_certificates/ca.crt
This is what the mosquitto log says when I run it.
1546507891: mosquitto version 1.5.5 starting
1546507891: Config loaded from /../etc/mosquitto/mosquitto.conf.
1546507891: Opening ipv4 listen socket on port 1883.
1546507891: Opening ipv6 listen socket on port 1883.
1546507891: Opening ipv4 listen socket on port 8883.
1546507891: Opening ipv6 listen socket on port 8883.
1546507929: New connection from 305.875.987.34 on port 8883.
1546507929: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1546507929: Socket error on client <unknown>, disconnecting.
These are the openssl commands I used to create ca.crt, server.crt, and server.key. I created them in a folder called certs.
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
I then moved ca.crt to /../etc/mosquitto/ca_certifications after deleting an old ca.crt I had made trying to fix the problem. I did this with the following two commands.
sudo rm /../etc/mosquitto/ca_certifications/ca.crt
sudo mv ca.crt /../etc/mosquitto/ca_certifications
I did the same thing with server.crt and server.key except I put them in /../etc/mosquitto/certs.
The broker seems to work fine on port 1883.
Let me know if you need any more info.
To start with I would rearrange your mosquitto.conf to make things more obvious what is linked to what and to remove the relative paths to your certs/key files as follows:
# Place your local configuration in /etc/mosquitto/conf.d/
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
#log_dest file /var/log/mosquitto/mosquitto.log
log_dest stdout
include_dir /etc/mosquitto/conf.d
log_type all
#-----------------------------------------------
#Default Listener
#-----------------------------------------------
port 1883
#------------------------------------------------
#Certificate Based SSL/TLS Support
#------------------------------------------------
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
I've swapped the port/listener entries to make it obvious that the SSL setup is bound to the port 8883 listener. I've also removed the /../ from the start of the paths as this is meaningless as it's impossible to go "up" a directory from the / "root".
Likewise you should use the direct paths for the mosquitto_pub command.
Also as you are copying files around as root (with sudo), make sure that the cert/key files are readable by the mosquitto user.

Mosquitto SSL certificate verify failed

I'm using Mosquitto version 1.4.8 on my test PC and the server. The server is accessible via ha.euroicc.com.
I've generated certificates and keys using the following script:
#! /usr/bin/env bash
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
# Serial should be different from the server one, otherwise curl will return NSS error -8054
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
# Verify Server Certificate
openssl verify -purpose sslserver -CAfile ca.crt server.crt
# Verify Client Certificate
openssl verify -purpose sslclient -CAfile ca.crt client.crt
I've put 'd', 'dd' and 'dddd' everywhere except for common name.
The common name for ca is 'd' and for server/client is 'ha.euroicc.com'.
CN for server/client needs to be this value, or it doesn't work at all!
My current mosquitto config file:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
password_file /etc/mosquitto/passwd
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
port 8883
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
I use this command to subscribe from test PC:
mosquitto_sub -h ha.euroicc.com -t "topic/test" -u "damjan" -P "damjan" -p 8883 --cafile ca.crt --key client.key --cert client.crt
And get these errors:
On test PC:
Error: A TLS error occurred.
On server:
1532564086: OpenSSL Error: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
1532564086: Socket error on client <unknown>, disconnecting.
I've tried without require_certificate set on the server side, and not using client key/cert on the client side and subscription works in this case. This means that username/password parameters are fine.
That means that I either generated certificates and keys with a problem, my mosquitto.conf is bad or I'm using mosquitto_sub with a problem. Maybe something else?
I'm really at loss here and can't figure out what to try next...
Every bit of information helps.
Had a similar issue while upgrading to 2.0 because of the updated TLS/SSL bindings several know weak algorithms are not supported anymore.
In my case the signature of the certificate was sha1WithRSAEncryption where sha1 is the weak part. The same would be for e.g. MD5.
Check your certificate with openssl x509 -text -noout -in your.crt
Resigning the certificate with sha256WithRSAEncryption fixed it for me.
There is no need to create a new key.
You can either create a new CSR from your existing key and information from your certificate:
openssl x509 -x509toreq -in sha1.crt -signkey sha1.key -out sha256-new.csr -sha256
or overwrite the algorithm while signing the existing CSR again:
openssl x509 -req -days 360 -in sha1.csr -CA DummyCA-DonotTrust.pem -CAkey DummyCA-DonotTrust.pem -CAcreateserial -out sha256.crt -sha256
Recent openssl version should use sha256 as default.
Debian has changed the default setting with openssl-1.1.1 see https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 and set CipherString = DEFAULT#SECLEVEL=2.
To get a list of supported algorithms run: openssl ciphers -s -v 'ALL:#SECLEVEL=2'
Ok, so the problem was that I was generating all of the files on my test PC, and then sending it to the server.
I've tried generating everything on the server, and then copying appropriate files to my test PC, and everything works fine.
I've followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt . With lesser changes like hostname etc.
I had the same issue.
To fix it, while generating server.crt, answer to question 'Common Name' with IP address of the machine where Mqtt broker is going to be run.

Getting error "Error loading private server key"

So I was implementing rush in Orion Context Broker Server instance, and whenever I try to start the contextBroker with the following command:
contextBroker -rush localhost:1234 -https -key privkey.pem -cert cert.csr
, I'm getting the following error:
E#18:16:11 loadFile[1101]: error opening 'privkey.pem': No such file or directory
X#18:16:11 main[1258]: Error loading private server key from 'privkey.pem'
I generated my private key with the following command, I don't know if it's correct:
openssl genrsa -des3 -out privkey.pem 2048
And I generated my certificate with the following command:
openssl req -new -key privkey.pem -out cert.csr
Do I'm doing something wrong?
You have to use absolute path names, i.e.:
contextBroker -rush localhost:1234 -https -key /path/to/privkey.pem -cert /path/to/cert.csr
A note has been added to CLI commands documenation to make this clearer.
In addition, you may find useful the following script on how to generate the needed files:
...
openssl genrsa -out "$keyFileName" 1024 > /dev/null 2>&1
openssl req -days 365 -out "$certFileName" -new -x509 -key "$keyFileName" -subj "$OPTIONS" > /dev/null 2>&1