We Keep Coding

Mosquitto certificate verify failed with protocol error

I'm having trouble setting up mosquitto to encrypt over SSL/TLS. I have followed the instructions of mosquitto to generate the certificate and key. The code used is as follows:
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.crt.crt
openssl genrsa -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt.crt -CAkey ca.key -CAcreateserial -out
server.crt.crt -days 3650
Then I configured in mosquitto.conf as follows:
listener 8883
allow_anonymous true
cafile d:\etc\mosquitto\ca_certificates\ca.crt.crt
certfile d:\etc\mosquitto\certs\server.crt.crt
keyfile d:\etc\mosquitto\certs\server.key
Then I used the code
mosquitto -v -c mosquitto.conf
The results of running mosquitto are as follows:
D:\etc\mosquitto>mosquitto -v -c mosquitto.conf
1663109874: mosquitto version 2.0.15 starting
1663109874: Config loaded from mosquitto.conf.
1663109874: Opening ipv6 listen socket on port 8883.
1663109874: Opening ipv4 listen socket on port 8883.
1663109874: mosquitto version 2.0.15 running
But I have a problem when I want to try to make the subscribe and publish commands.I ran the following code:
mosquitto_sub -d -v -h 91.121.93.94 -p 8883 -t test --cafile d:\etc\mosquitto\ca_certificates\ca.crt.crt
91.121.93.94 is the Common Name I set to generate the server key.Then I got the error as below:
Client null sending CONNECT
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: protocol error
I don't know where I am going wrong or if I have not configured something in mosquitto.conf.

MQTT TLS with VPS: Mosquitto TLS error (SAN settings?) [duplicate]

I have provided the broker and the client with certificates. The broker is avaible at 172.27.224.1.
When I try to connect with the client, I get following error message:
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 172.27.224.1 is not in the cert's list:
at new NodeError (node:internal/errors:371:5)
at Object.checkServerIdentity (node:tls:297:12)
at TLSSocket.onConnectSecure (node:_tls_wrap:1540:27)
at TLSSocket.emit (node:events:390:28)
at TLSSocket._finishInit (node:_tls_wrap:944:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12) {
reason: "IP: 172.27.224.1 is not in the cert's list: ",
host: '172.27.224.1',
cert: {
subject: [Object: null prototype] {
C: 'AU',
ST: 'Some-State',
O: '',
OU: '',
CN: '172.27.224.1'
},
issuer: [Object: null prototype] {
C: 'DE',
ST: 'Some-State',
O: '',
OU: '',
CN: '172.27.224.1'
},
[...]
What's the error here? The ca.crt is a self signed cert with issued for 172.27.224.1 and issued from 172.27.224.1. The client.crt is issed from 172.27.224.1 and issued for "username".
should't this work?
Steps I used to generate the certificate:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360
I use for the client node.js v16.13 and the mqtt library.

Assuming you are using OpenSSL to create the CA cert then you can do it as follows:
openssl req -x509 -nodes -newkey rsa:2048 -days 3650 -sha256 \
-keyout ca.key -out ca.crt -reqexts SAN -extensions SAN \
-subj '/CN=Broker Cert' \
-config <(cat /etc/pki/tls/openssl.cnf; printf "[SAN]\nsubjectAltName=IP:172.27.224.1")
This makes an assumption that you are using a openss.cnf file stored at /etc/pki/tls/openssl.cnf
But as a rule it's better to create a CA cert and then sign server certs with that as it makes changing things easier and you don't need to update all the clients when you want to change something. It also makes issuing client certificates a lot easier.
Please do still update the question with details of the programming language and client library you are using that is now enforcing the SAN rules.

Mosquitto server conf for using PFX certificate

I had been able to get TLS connection with mosquitto and using CA.crt, server.crt, server.key plus client.crt and client.key. I been able to sub and pub no problem using MQTTfx and just command lines. below is my full setting for anyone who needs it, and I am looking for some help to use pfx certs.
I am asked to figure out how to sub and pub to the broker using PFX client cert(contains client.crt and client.key) along with ca.crt, which I don't see as option to MQTTfx 1.7 or in CMD examples I can find online. Wondering anyone had this experience using PFX that can enlighten me with broker settings and sub examples.
Broker setting:
listener 8883
log_type error
log_type notice
log_type information
log_type debug
require_certificate true
use_identity_as_username true
cafile C:\Program Files\mosquitto\cert\ca.crt
keyfile C:\Program Files\mosquitto\cert\server.key
certfile C:\Program Files\mosquitto\cert\server.crt
Subscription command line
mosquitto_sub -h 192.167.41.17 -t home/garden/fountain --cafile "C:\ca.crt" --cert "C:\client.crt" --key "c:\client.key" -d -p 8883
Certificates used in this project is self signed:
To create CA:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
To create server:
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
To create client:
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 360
To create the pfx:
openssl pkcs12 -export -out certbag.pfx -inkey client.key -in client.crt -in

mosquitto_pub & mosquitto_sub will only accept PEM encoded files for all certificates/key. There is no way directly use a PKCS12 (.p12 or .pfx) certificate store/bundle with these tools.
If version v1.7 of MQTT.fx (given the latest version if v5.0) also doesn't support being passed a PKCS12 bundle then there is no magic way you can make it, your only option is to use openssl to break it up into it's parts (cert, key and ca cert) encoded in PEM format and pass those files.

Mosquitto SSL certificate verify failed

I'm using Mosquitto version 1.4.8 on my test PC and the server. The server is accessible via ha.euroicc.com.
I've generated certificates and keys using the following script:
#! /usr/bin/env bash
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
# Serial should be different from the server one, otherwise curl will return NSS error -8054
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
# Verify Server Certificate
openssl verify -purpose sslserver -CAfile ca.crt server.crt
# Verify Client Certificate
openssl verify -purpose sslclient -CAfile ca.crt client.crt
I've put 'd', 'dd' and 'dddd' everywhere except for common name.
The common name for ca is 'd' and for server/client is 'ha.euroicc.com'.
CN for server/client needs to be this value, or it doesn't work at all!
My current mosquitto config file:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
password_file /etc/mosquitto/passwd
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
port 8883
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
I use this command to subscribe from test PC:
mosquitto_sub -h ha.euroicc.com -t "topic/test" -u "damjan" -P "damjan" -p 8883 --cafile ca.crt --key client.key --cert client.crt
And get these errors:
On test PC:
Error: A TLS error occurred.
On server:
1532564086: OpenSSL Error: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
1532564086: Socket error on client <unknown>, disconnecting.
I've tried without require_certificate set on the server side, and not using client key/cert on the client side and subscription works in this case. This means that username/password parameters are fine.
That means that I either generated certificates and keys with a problem, my mosquitto.conf is bad or I'm using mosquitto_sub with a problem. Maybe something else?
I'm really at loss here and can't figure out what to try next...
Every bit of information helps.

Had a similar issue while upgrading to 2.0 because of the updated TLS/SSL bindings several know weak algorithms are not supported anymore.
In my case the signature of the certificate was sha1WithRSAEncryption where sha1 is the weak part. The same would be for e.g. MD5.
Check your certificate with openssl x509 -text -noout -in your.crt
Resigning the certificate with sha256WithRSAEncryption fixed it for me.
There is no need to create a new key.
You can either create a new CSR from your existing key and information from your certificate:
openssl x509 -x509toreq -in sha1.crt -signkey sha1.key -out sha256-new.csr -sha256
or overwrite the algorithm while signing the existing CSR again:
openssl x509 -req -days 360 -in sha1.csr -CA DummyCA-DonotTrust.pem -CAkey DummyCA-DonotTrust.pem -CAcreateserial -out sha256.crt -sha256
Recent openssl version should use sha256 as default.
Debian has changed the default setting with openssl-1.1.1 see https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 and set CipherString = DEFAULT#SECLEVEL=2.
To get a list of supported algorithms run: openssl ciphers -s -v 'ALL:#SECLEVEL=2'

Ok, so the problem was that I was generating all of the files on my test PC, and then sending it to the server.
I've tried generating everything on the server, and then copying appropriate files to my test PC, and everything works fine.
I've followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt . With lesser changes like hostname etc.

I had the same issue.
To fix it, while generating server.crt, answer to question 'Common Name' with IP address of the machine where Mqtt broker is going to be run.

docker swarm certificate expiry

I am trying to create a docker swarm that has certificates that expire after 1 year or more. The documentation states the syntax and I tried this docker swarm init --cert-expiry 8760h0m0s
However under cat /var/lib/docker/swarm/certificates/swarm-node.crt when I decipher the certificate the validity is still 3 months. How do I make sure that validity is what I have set it to?

You can generate certificates manually using the OpenSSL tool and configure Docker daemon to use these certificates.
Generate Server Certificates
Generate CA private and public keys:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -out ca.pem
Create a server key and certificate signing request (CSR):
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=my.company.com" -sha256 -new -key server-key.pem -out server.csr
Sign the public key with CA:
echo subjectAltName = DNS:my.company.com,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
Generate the key:
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Generate Client Certificates
Create a client key and certificate signing request:
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Create an extensions config file:
echo extendedKeyUsage = clientAuth >> extfile.cnf
Sign the private key:
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ../server/ca.pem -CAkey ../server/ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Export cert.pem into PFX format to be added into Trusted Root Certification Authorities
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx
Configure Docker daemon with /etc/docker/daemon.json
{
"debug": false,
"tls": true,
"tlsverify": true,
"tlscacert": "/etc/docker/certificates/server/ca.pem",
"tlscert": "/etc/docker/certificates/server/server-cert.pem",
"tlskey": "/etc/docker/certificates/server/server-key.pem",
"hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
}
Start Docker Service
systemctl start docker
Have a look at this article Building Jenkins Pipelines – Setting Up Docker Swarm. There's a step-by-step guide there.

Run the following commands on any of the management nodes:
docker swarm update --cert-expiry 8760h0m0s
docker swarm ca --rotate | openssl x509 -text -noout
The first one will set certificate expiry date.
The last one will actually apply changes and rotate certificates on all swarm nodes automatically. If not interested in decoding cert text output, the openssl part can be omitted.