I am trying to set up a Mosquitto broker using secure connection.
I was able to configure and make it work correctly with MQTTS, I was able to test using my ESP32 and MQTTBox
Now I am trying to use a websocket to connect a web application but I believe that I am failing in some Mosquitto configuration.
For MQTTS I used "CA signed server certificate" and port 8083 and everything worked fine with MQTTBox and ESP32.
I spent the whole weekend researching and trying different configurations but I was unable to make the connection work in both ways. Can someone help me? Thanks!
# First of all, use this options on mosquitto.conf
per_listener_settings true
allow_anonymous false
password_file /usr/local/etc/mosquitto/pwfile.conf
# Rules for access topics
acl_file /usr/local/etc/mosquitto/aclfile.conf
# Now, use this options on mosquitto.conf
listener 8883
cafile /usr/local/etc/mosquitto/certs/ca.crt
certfile /usr/local/etc/mosquitto/certs/server.crt
keyfile /usr/local/etc/mosquitto/certs/server.key
listener 8083
websockets
cafile /usr/local/etc/mosquitto/certs/ca.crt
certfile /usr/local/etc/mosquitto/certs/server.crt
keyfile /usr/local/etc/mosquitto/certs/server.key
EDIT, this is the Mosquitto log:
1621899173: mosquitto version 2.0.10 starting
1621899173: Config loaded from /usr/local/etc/mosquitto/mosquitto.conf.
1621899173: Opening ipv6 listen socket on port 8883.
1621899173: Opening ipv4 listen socket on port 8883.
1621899173: Opening websockets listen socket on port 8083.
1621899173: mosquitto version 2.0.10 running
1621899174: Sending CONNACK to ::ffff:192.168.15.2 (0, 5)
1621899174: Client <unknown> closed its connection.
1621899176: Sending CONNACK to ::ffff:192.168.15.2 (0, 5)
1621899176: Client <unknown> closed its connection.
1621899177: Sending CONNACK to ::ffff:192.168.15.2 (0, 5)
1621899177: Client <unknown> closed its connection.
EDIT, I used this commands to create the certificate:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
openssl x509 -in server.crt -sha1 -noout -fingerprint
From the mosquitto.conf man page
protocol value
Set the protocol to accept for the current listener. Can be mqtt, the default, or websockets if available.
Websockets support is currently disabled by default at compile time. Certificate based TLS may be used with websockets, except that
only the cafile, certfile, keyfile, ciphers, and ciphers_tls1.3
options are supported.
Not reloaded on reload signal.
Your Websockets listener should look like this;
listener 8083
protocol websockets
cafile /usr/local/etc/mosquitto/certs/ca.crt
certfile /usr/local/etc/mosquitto/certs/server.crt
keyfile /usr/local/etc/mosquitto/certs/server.key
Related
I'm having trouble setting up mosquitto to encrypt over SSL/TLS. I have followed the instructions of mosquitto to generate the certificate and key. The code used is as follows:
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.crt.crt
openssl genrsa -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt.crt -CAkey ca.key -CAcreateserial -out
server.crt.crt -days 3650
Then I configured in mosquitto.conf as follows:
listener 8883
allow_anonymous true
cafile d:\etc\mosquitto\ca_certificates\ca.crt.crt
certfile d:\etc\mosquitto\certs\server.crt.crt
keyfile d:\etc\mosquitto\certs\server.key
Then I used the code
mosquitto -v -c mosquitto.conf
The results of running mosquitto are as follows:
D:\etc\mosquitto>mosquitto -v -c mosquitto.conf
1663109874: mosquitto version 2.0.15 starting
1663109874: Config loaded from mosquitto.conf.
1663109874: Opening ipv6 listen socket on port 8883.
1663109874: Opening ipv4 listen socket on port 8883.
1663109874: mosquitto version 2.0.15 running
But I have a problem when I want to try to make the subscribe and publish commands.I ran the following code:
mosquitto_sub -d -v -h 91.121.93.94 -p 8883 -t test --cafile d:\etc\mosquitto\ca_certificates\ca.crt.crt
91.121.93.94 is the Common Name I set to generate the server key.Then I got the error as below:
Client null sending CONNECT
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: protocol error
I don't know where I am going wrong or if I have not configured something in mosquitto.conf.
I have implemented the mosquitto broker for ubuntu on port 8883 and port 1883 and can't figure out why I keep getting the CA related errors shown below.
It happens when I test it using mosquitto_pub locally on the server and when I use the Paho/Python script as the client on my MacBook. My mosquitto.config file, mosquitto_pub command, and my mosquitto log messages are shown below. I've also included my openssl certificate creation commands in case I did something wrong.
This is my mosquitto.conf file
# Place your local configuration in /etc/mosquitto/conf.d/
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
#log_dest file /var/log/mosquitto/mosquitto.log
log_dest stdout
include_dir /etc/mosquitto/conf.d
log_type all
#-----------------------------------------------
#Default Listener
#-----------------------------------------------
port 8883
#------------------------------------------------
#Certificate Based SSL/TLS Support
#------------------------------------------------
cafile /../etc/mosquitto/ca_certificates/ca.crt
keyfile /../etc/mosquitto/certs/server.key
certfile /../etc/mosquitto/certs/server.crt
listener 1883
This is the mosquitto_pub command I use to test it.
sudo mosquitto_pub -h 305.875.987.34 -t test -m "Typing this" -p 8883 --cafile /../etc/mosquitto/ca_certificates/ca.crt
This is what the mosquitto log says when I run it.
1546507891: mosquitto version 1.5.5 starting
1546507891: Config loaded from /../etc/mosquitto/mosquitto.conf.
1546507891: Opening ipv4 listen socket on port 1883.
1546507891: Opening ipv6 listen socket on port 1883.
1546507891: Opening ipv4 listen socket on port 8883.
1546507891: Opening ipv6 listen socket on port 8883.
1546507929: New connection from 305.875.987.34 on port 8883.
1546507929: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1546507929: Socket error on client <unknown>, disconnecting.
These are the openssl commands I used to create ca.crt, server.crt, and server.key. I created them in a folder called certs.
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
I then moved ca.crt to /../etc/mosquitto/ca_certifications after deleting an old ca.crt I had made trying to fix the problem. I did this with the following two commands.
sudo rm /../etc/mosquitto/ca_certifications/ca.crt
sudo mv ca.crt /../etc/mosquitto/ca_certifications
I did the same thing with server.crt and server.key except I put them in /../etc/mosquitto/certs.
The broker seems to work fine on port 1883.
Let me know if you need any more info.
To start with I would rearrange your mosquitto.conf to make things more obvious what is linked to what and to remove the relative paths to your certs/key files as follows:
# Place your local configuration in /etc/mosquitto/conf.d/
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
#log_dest file /var/log/mosquitto/mosquitto.log
log_dest stdout
include_dir /etc/mosquitto/conf.d
log_type all
#-----------------------------------------------
#Default Listener
#-----------------------------------------------
port 1883
#------------------------------------------------
#Certificate Based SSL/TLS Support
#------------------------------------------------
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
I've swapped the port/listener entries to make it obvious that the SSL setup is bound to the port 8883 listener. I've also removed the /../ from the start of the paths as this is meaningless as it's impossible to go "up" a directory from the / "root".
Likewise you should use the direct paths for the mosquitto_pub command.
Also as you are copying files around as root (with sudo), make sure that the cert/key files are readable by the mosquitto user.
I'm using Mosquitto version 1.4.8 on my test PC and the server. The server is accessible via ha.euroicc.com.
I've generated certificates and keys using the following script:
#! /usr/bin/env bash
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
# Serial should be different from the server one, otherwise curl will return NSS error -8054
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
# Verify Server Certificate
openssl verify -purpose sslserver -CAfile ca.crt server.crt
# Verify Client Certificate
openssl verify -purpose sslclient -CAfile ca.crt client.crt
I've put 'd', 'dd' and 'dddd' everywhere except for common name.
The common name for ca is 'd' and for server/client is 'ha.euroicc.com'.
CN for server/client needs to be this value, or it doesn't work at all!
My current mosquitto config file:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
password_file /etc/mosquitto/passwd
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
port 8883
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
I use this command to subscribe from test PC:
mosquitto_sub -h ha.euroicc.com -t "topic/test" -u "damjan" -P "damjan" -p 8883 --cafile ca.crt --key client.key --cert client.crt
And get these errors:
On test PC:
Error: A TLS error occurred.
On server:
1532564086: OpenSSL Error: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
1532564086: Socket error on client <unknown>, disconnecting.
I've tried without require_certificate set on the server side, and not using client key/cert on the client side and subscription works in this case. This means that username/password parameters are fine.
That means that I either generated certificates and keys with a problem, my mosquitto.conf is bad or I'm using mosquitto_sub with a problem. Maybe something else?
I'm really at loss here and can't figure out what to try next...
Every bit of information helps.
Had a similar issue while upgrading to 2.0 because of the updated TLS/SSL bindings several know weak algorithms are not supported anymore.
In my case the signature of the certificate was sha1WithRSAEncryption where sha1 is the weak part. The same would be for e.g. MD5.
Check your certificate with openssl x509 -text -noout -in your.crt
Resigning the certificate with sha256WithRSAEncryption fixed it for me.
There is no need to create a new key.
You can either create a new CSR from your existing key and information from your certificate:
openssl x509 -x509toreq -in sha1.crt -signkey sha1.key -out sha256-new.csr -sha256
or overwrite the algorithm while signing the existing CSR again:
openssl x509 -req -days 360 -in sha1.csr -CA DummyCA-DonotTrust.pem -CAkey DummyCA-DonotTrust.pem -CAcreateserial -out sha256.crt -sha256
Recent openssl version should use sha256 as default.
Debian has changed the default setting with openssl-1.1.1 see https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 and set CipherString = DEFAULT#SECLEVEL=2.
To get a list of supported algorithms run: openssl ciphers -s -v 'ALL:#SECLEVEL=2'
Ok, so the problem was that I was generating all of the files on my test PC, and then sending it to the server.
I've tried generating everything on the server, and then copying appropriate files to my test PC, and everything works fine.
I've followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt . With lesser changes like hostname etc.
I had the same issue.
To fix it, while generating server.crt, answer to question 'Common Name' with IP address of the machine where Mqtt broker is going to be run.
i would like to install squid proxy with SSL bump, i am working on my Virtual lab and once everything is ok i will Test it on the real network.
i already created i directory for the cert and generated the cert as below:
#Generate Private Key
openssl genrsa -out MSY.com.private 2048
# Create Certificate Signing Request
openssl req -new -key MSY.com.private -out MSY.com.csr
# Sign Certificate
openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out
MSY.com.cert
then i fill the info and put the 'Common Name' something other than the domain or server_name. in addition, please find the below lines from the squid configuration file:
http_port 3128
#the problem is with the below line
ssl-bump cert=/etc/squid/ssl_cert/MSY.com.cert
key=/etc/squid/ssl_cert/MSY.com.private generate-host-certificates=on
version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
# SSL Bump Config
ssl_bump stare all
ssl_bump bump all
and its not working and if i remove the SSL bump certificate line from the configuration, the proxy works but without SSL. my questions can we eliminate SSL-bump from configuration and can i manually copy the certificate to the client/user machine and added to his/her Internet browser.
thanks
I need to generate a TLSv1.2 SSL certificate. I have done the following:
openssl genrsa -out myselfsigned.key 2048
openssl req -new -x509 -sha256 -key myselfsigned.key -out myselfsigned.cer -days 365 -subj /CN=<my localhost ip address>
Now how do I know that the certificate is actually a TLSv1.2 SSL certificate?
There is no such thing as a TLS 1.2 certificate.
There are RSA and ECDSA certificates which can be used with various TLS protocol versions and ciphers.
If TLS 1.2 is actually used depends on the capabilities and configuration of both client and server. You can check this when doing a packet capture and analyzing it with wireshark. Also there are often ways at server and client to find out which TLS version is in use by the current connection but how this is done depends on the client and server. For example with many browsers you get this information when clicking on the lock icon and then looking at the connection details.