Configuring MQTT broker(Mosquitto) to use SSL Encryption isn't working - ssl

I am trying to configure my MQTT broker(mosquito) to connect with MQTT client over SSL. For that I created ca.crt , server.crt, and server.key.
Then I edited the mosquito config file like this:
listener 8883
certfile /etc/mosquitto/ca_certificates/server.crt
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/ca_certificates/server.key
require_certificate false
use_identity_as_username true
When creating these certificates, I have made sure to add the common name to 127.0.0.1 as suggested in this guide
After that I run my mosquito broker using the config file that I created using:
mosquitto -c /etc/mosquitto/conf.d/password.conf
This command starts my MQTT broker and it starts listening at port 8883.
1645181786: mosquitto version 2.0.11 starting
1645181786: Config loaded from /etc/mosquitto/conf.d/password.conf.
1645181786: Opening ipv4 listen socket on port 8883.
1645181786: Opening ipv6 listen socket on port 8883.
1645181786: mosquitto version 2.0.11 running
Uptil here, I believe that now my broker will only allow connection at port 8883 only when ca.crt is provided in the connection call.
So, then I use this pub command to send a message to a test topic.
mosquitto_pub -h 127.0.0.1 -p 8883 --cafile /etc/mosquitto/ca_certificates/ca.crt -t test -m 45
But it results in following error:
1645182944: New connection from 127.0.0.1:58926 on port 8883.
1645182944: Client auto-7B1E49DA-54C1-532B-3948-35FFD3A11250 disconnected, not authorised.
Then I added a password file and added path to that password file in my mosquitto config file. My new config file started looking like this:
listener 8883
password_file /etc/mosquitto/conf.d/passwords
certfile /etc/mosquitto/ca_certificates/server.crt
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/ca_certificates/server.key
require_certificate false
use_identity_as_username true
After this update when I run the mosquitto_pub command with both my certificates and username, password. The client successfully connects to broker.
mosquitto_pub -h 127.0.0.1 -p 8883 --cafile /etc/mosquitto/ca_certificates/ca.crt -t test -m 45 -u "user" -P "pass123"
Note: if I run the pub command using only certs or only with password, it doesn't connect and it shouldn't too. Giving both attributes work only.
But what I want is to connect using only SSL certificates. Any help would be much appreciated.

The problem is probably use_identity_as_username true which tells mosquitto to use the client certificate's CN as the username.
But you are not sending a client certificate (the --cafile option is passing a CA cert to verify the brokers cert) in any of the examples you are showing, so remove that line from the config and see if it works.
EDIT:
If you also don't want to need to supply a username/password (or use a client certificate to identify a user) you need to include the allow_anonymous true configuration option.

Related

Mosquitto over SSL refuses publishing message

I am having some trouble with Mosquitto (MQTT) over SSL (with letsencrypt).
I have it installed on a RoR Ubuntu 18.04 server, on Digital Ocean, with Nginx installed.
This setup worked perfectly for public messages.
Then, for communication over SSL, port 8883 is listening to all traffic on the domain name.
The ports are allowed in firewall.
My Problem is, whenever I try to publish over SSL, I get an error. Here's the full log:
$mosquitto_pub -d -h my-domain.xyz -t test -m "hello again" -p 8883 --capath /etc/ssl/certs/ -u “some-user” -P "p#s$w0rd"
Client mosqpub|23889-mosquitto sending CONNECT
Client mosqpub|23889-mosquitto received CONNACK
Connection Refused: not authorised.
Error: The connection was refused.
Here is my ../conf.d/default.conf
allow_anonymous false
password_file /etc/mosquitto/passwd
​
listener 1883 localhost
​
listener 8883
certfile /etc/letsencrypt/live/my-domain.xyz/cert.pem
cafile /etc/letsencrypt/live/my-domain.xyz/chain.pem
keyfile /etc/letsencrypt/live/my-domain.xyz/privkey.pem
Sample password file from /etc/mosquitto/passwd:
some-user:$6$SzAZtOMrxYGiECMU$1YMk4lnmY8FRTZj/vy1FLsnegsxx4OXSzX60rX7ej+muz1i6//16BKwkvwXYYYg2+7w9SRYaeuKPfA9Q==
Command to subscribe
mosquitto_sub -h domain.xyz -t "test" -u "some-user" -P "p#s$w0rd"
Log as found in /var/log/mosquitto/mosquitto.og
1568255494: Opening ipv4 listen socket on port 8883.
1568255664: mosquitto version 1.4.15 terminating
1568523128: mosquitto version 1.4.15 (build date Tue, 18 Jun 2019 11:42:22 -0300) starting
1568523397: mosquitto version 1.4.15 (build date Tue, 18 Jun 2019 11:42:22 -0300) starting
1568523397: Config loaded from /etc/mosquitto/mosquitto.conf.
1568523397: Opening ipv4 listen socket on port 1883.
1568523397: Error: Address already in use
1568523128: Config loaded from /etc/mosquitto/mosquitto.conf.
1568523128: Opening ipv4 listen socket on port 8883.
1568523397: mosquitto version 1.4.15 terminating
When I run mosquitto client in blocking mode by manually providing the conf file, here's what I get:
$ mosquitto -c /etc/mosquitto/conf.d/default.conf
1568594709: mosquitto version 1.4.15 (build date Tue, 18 Jun 2019 11:42:22 -0300) starting
1568594709: Config loaded from /etc/mosquitto/conf.d/default.conf.
1568594709: Opening ipv4 listen socket on port 1883.
1568594709: Opening ipv4 listen socket on port 8883.
1568594709: Opening ipv6 listen socket on port 8883.
1568594709: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/my-domain.xyz/chain.pem".
Does it look like a permissions problem?
I followed the following guide, on an Ubuntu 18.04 : https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-16-04
What could be going wrong?
I can provide any other details that you want.

Facing Error while using TLS with mosquitto

I am trying to use TLS for communicating over mqtt. I have ubuntu installed in my system. For using TLS, I have created certificates using the below link:
http://www.embedded101.com/Blogs/PaoloPatierno/entryid/366/mqtt-over-ssl-tls-with-the-m2mqtt-library-and-the-mosquitto-broker
I am able to create certificates. But when I give value to bind_address property in the mosquitto_m2mqtt.conf file and start mosquitto using the command mosquitto -c mosquitto_m2mqtt.conf, I get error as given in the subject of the question; i.e., Error: cannot assign requested address. Please let me know how to resolve this.
Below is the content of config file:
port 8883
bind_address iothdp02
cafile /etc/mosquitto/m2mqtt_ca.crt
certfile /etc/mosquitto/m2mqtt_srv.crt
keyfile /etc/mosquitto/m2mqtt_srv.key
tls_version tlsv1
When I run the command mosquitto -c mosquitto_m2mqtt.conf -v, I am getting as error as:
1551089294: mosquitto version 1.4.8 (build date 2016-09-21 11:21:45+0530) starting
1551089294: Config loaded from mosquitto_m2mqtt.conf.
1551089294: Opening ipv4 listen socket on port 8883.
1551089294: Error: Cannot assign requested address
Edit 1:
I have removed bind_address from config file and starting mosquitto with the new config file with 'mosquitto -c mosquitto_m2mqtt.conf -v'. Mosquitto starts, but when I run mosquitto_sub command, I am getting error as below:
mosquitto -c mosquitto_m2mqtt.conf -v
1551172930: mosquitto version 1.4.8 (build date 2016-09-21 11:21:45+0530) starting
1551172930: Config loaded from mosquitto_m2mqtt.conf.
1551172930: Opening ipv4 listen socket on port 8883.
1551172930: Opening ipv6 listen socket on port 8883.
Enter PEM pass phrase:
1551172960: New connection from 127.0.0.1 on port 8883.
1551172960: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
1551172960: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1551172960: Socket error on client <unknown>, disconnecting.
In the window that I am subscribing, I am getting error as below:
mosquitto_sub -p 8883 -q 1 -t sensor/temp --cafile /etc/mosquitto/m2mqtt_srv.crt --tls-version tlsv1 -d
Unable to connect (A TLS error occurred.).
If you pass a hostname to the bind_address argument it must resolve to a valid IP address, this is not necessarily the same as the output from hostname.
This has nothing to do with the TLS/certificate setup it is purely how mosquitto identifies which address to bind to.
You have a few choices on how to fix this:
remove the bind_address line, this will cause mosquitto to listen on all available addresses
ensure that what ever you use in the bind_address field resolves to an IP address bound to an interface on the machine the broker is running. This might mean using the fully qualified domain name (you probably should have used that in the broker's certificate CN as well)
replace the hostname with the ip address for the interface you want mosquitto to listen on.

mosquitto-clients and broker running on SSL

I've managed to setup a broker using SSL using Let's Encrypt certs.
I've tried testing a websockets client connecting to wss://broker:9002/mqtt, and it's working. I've also tried using mqtt.js command-line interface to subscribe to a topic on the broker mqtts://broker:8883/mqtt successfully.
However, I can't get mosquitto_sub and mosquitto_pub to work.
I tried with,
$ mosquitto_sub -h www.my-host.com.ar -p 8883 -t hello -d --cafile fullchain.pem
Client mosqsub/21069-atlantis sending CONNECT
Error: A TLS error occurred.
where fullchain.pem is the same ca cert that's on the server.
The mosquitto.log's broker shows,
1456709201: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1456709201: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1456709201: Socket error on client <unknown>, disconnecting.
1456709206: New connection from <my-ip> on port 8883.
What could be happening? I didn't provide any cert for mqtt.js lib...
This is my broker conf (splitted in two files),
#################################
# /etc/mosquitto/mosquitto.conf #
#################################
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
listener 1883
listener 8883
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem
include_dir /etc/mosquitto/conf.d
#############################################
# /etc/mosquitto/conf.d/websockets_ssl.conf #
#############################################
listener 9002
protocol websockets
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem
Try adding "--insecure" at the end of the mosquitto_sub and mosquitto_pub commands. This allows the clients to bypass the check that matches the certificate hostname with the remote host name. I've had to do this with some of the self-signed certs that I generated.
Here is the relevant comments from the "--help" for those commands:
--insecure : do not check that the server certificate hostname matches the remote
hostname. Using this option means that you cannot be sure that the
remote host is the server you wish to connect to and so is insecure.
Do not use this option in a production environment.

How to connect to a MQTT broker over SSL / TLS?

I am using CloudMQTT as my hosted broker. Everything is working fine on plain MQTT, but when I tried to connect over TLS/SSL it is not working.
I found out that I need to specify the CA certificate files and path to work.
On their FAQ page it says that their certificate files are available on most OSs (I am on Windows), but Windows doesn't store the certificates as files, so there is no path to it. I am stuck here. Which files to use?
Anyways I tried this command to subscribe over TLS/SSL (as said in their example)
mosquitto_sub -h [server] -t hello -p 2XXXX -u [username] -P [password] -d --capath /etc/ssl/certs/
It says this
Warning: Unable to open socket pair, outgoing publish commands may be delayed.
Client mosqsub/3740-Jem-PC sending CONNECT
Error: A TLS error occurred.
I also changed the capath and cafile on the mosquitto.conf file.

How do you set up encrypted mosquitto broker like a webpage which has https?

I'm trying to setup a mosquitto broker which is encrypted using ssl/tls. I don't want to generate client certificates. I just want an encrypted connection.
The man page only described the settings which are available, not which are needed and how they are used.
Which settings are needed and how do you set them?
I use mosquitto 1.3.5
There is a small guide here, but it does not say much: http://mosquitto.org/man/mosquitto-tls-7.html
You need to set these:
certfile
keyfile
cafile
They can be generated with the commands in the link above. But easier is to use this script: https://github.com/owntracks/tools/blob/master/TLS/generate-CA.sh
After running the script and changing the config it could look something like this:
listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/hostname.localdomain.crt
keyfile /etc/mosquitto/certs/hostname.localdomain.key
If mosquitto says Unable to load server key file it means that the user which is running mosquitto does not have permission to read the file. Even if you start it as root the broker might start as another user, mosquitto for example. To solve this do e.g. chown mosquitto:root keyfile
To connect to the broker the client will need the ca.crt-file. If you do not supply this the broker will say something like:
OpenSSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
To supply it to the mosquitto_sub command you use --cafile pathToCaCrt. The ca.crt can be distributed with the clients and it will make sure that the server it is connected to actually is the correct server.
The --insecure flag of mosquitto_sub does not make the client accept all certificates (like with wget or similar), it just allows that the certificate not to have the host you are connecting to in common name. So you should make sure your certificate has your broker host as common name.
To secure WebSocket access of Mosquitto, e.g. using a Let's Encrypt certificate, your config file could look like this:
listener 9001
protocol websockets
certfile /etc/letsencrypt/live/yourdomain.com/cert.pem
cafile /etc/letsencrypt/live/yourdomain.com/chain.pem
keyfile /etc/letsencrypt/live/yourdomain.com/privkey.pem
Make sure that the files are readable by Mosquitto (Debian in particular runs Mosquitto under the mosquitto user, which is unprivileged). You need Mosquitto 1.4 to support WebSockets.
To connect to this WebSocket using the Paho JavaScript client:
// host and port overwritten at connect
var mqtt = new Paho.MQTT.Client("yourdomain.com", 9001, "");
mqtt.connect({
hosts: [ "wss://yourdomain.com:9001/" ],
useSSL: true
});
Note that this does not imply any access control yet, so your MQTT broker will be publicly accessible. You may want to add authorization, too.