How do I set up TLS on a mosquitto (MQTT) broker? - ssl

I got mosquitto working, using plain old TCP but i want to secure it using SSL and TLS, so i followed the following guide to create the certificates for my mosquitto broker:
https://mosquitto.org/man/mosquitto-tls-7.html
Then I added the following lines to the config file:
listener 8883
cafile /mqtt/certs/ca.crt
certfile /mqtt/certs/server.crt
keyfile /mqtt/certs/server.key
require_certificate false
But now when i try to use mosquitto_sub on another machine to try to connect to the mosquitto broker over port 8883 (TLS), i get the following error on the broker
New connection from XX.XXX.XXX.XXX on port 8883.
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client <unknown>, disconnecting.
I've tried doing the mosquitto_sub the following ways:
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --cert client.crt --key client.key
And the certificates on the client side were generated based on the first link i mentioned earlier.
Anyone know why this is happening and how I can go about fixing it?

This is the good way to subscribe as you do not require client certificate :
mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
It seems that the client fail to verify the server certificate.
You should make sure that :
ca.crt is the same on client and server side
the common name of your server certificate corresponds to its hostname
Also check if you have the same openssl version on server and client side as this error could also happen if client and server do not use a common protocol or do not share any cypher
hope it could help, else I will be interested to know how you solved this problem

Try --insecure option.
mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --insecure

Related

MQTT MTLS connection with different CA

I am trying mtls authentication in MQTT. I am using mosquitto to achieve this. When I created a server and client certificate from the same CA then the connection was successful. But if I use a different CA for creating a client certificate then it's failing with the below message
Client null sending CONNECT
OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Error: The connection was lost.
Is it mandatory to use the same CA for both client and server certificates in mtls?
Mosquitto.conf
listener 8883
certfile C:\\server.crt
keyfile C:\\server.key
require_certificate true
cafile C:\mqtt-ssl-demo\ca.crt
allow_anonymous true
Running broker using
mosquitto -c "C:\Program Files\mosquitto\mosquitto.conf"
Subscribe with a client with a certificate signed by server cert ca [SUCCESS]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\client.crt --key C:\mqtt-ssl-demo\client.key
Subscribe with a client with a certificate signed by other ca [FAILURE]
mosquitto_sub --cafile C:\mqtt-ssl-demo\ca.crt -t test -d -h Computername -p 8883 --cert C:\mqtt-ssl-demo\otherclient.crt --key C:\mqtt-ssl-demo\otherclient.key
Created certificate using Mosquitto SSL Configuration -MQTT TLS Security
The important thing to realise here is that the CA file passed to the broker as part of it's config is used to verify the certificate of any connecting clients.
Where as the CA file passed to the client (mosquitto_sub) is used to verify the certificate the broker presents.
So if you are using different CAs then these files need to be different, it's not clear from what you've posted which CA certs you are using where.

Why does dropping the ca-cert flag let redis-cli connect to our Redis server via SSL?

I am using Redis 6.2.6 with TLS. I managed to provide Redis with SSL certificates (full-chain and key certificates) that are issued by ZeroSSL through Acme.sh. I got things working (after wrangling with permissions), but when I connect to the server with:
redis-cli -h <host>.domain.tld -p <port> --tls --cacert /etc/ssl/certs/ca-certificates.crt --cert "/path/to/certs/*.domain.tld.pem" --key "/path/to/certs/*.domain.tld.key"
I get:
Could not connect to Redis at <host>.domain.tld:<port>: SSL_connect failed: certificate verify failed
However, when I remove the --cacert flag, like:
redis-cli -h <host>.domain.tld -p <port> --tls --cert "/path/to/certs/*.domain.tld.pem" --key "/path/to/certs/*.domain.tld.key"
I am able to connect successfully to the Redis server. Why is this so?
Here is the relevant TLS-related configuration for the Redis server.
port 0
tls-port <port>
tls-cert-file /path/to/certs/*.domain.tld.pem
tls-key-file /path/to/certs/*.domain.tld.key
tls-ca-cert-file /etc/ssl/certs/ca-certificates.crt
tls-auth-clients no

using mosquitto_sub with --insecure

Right now I have to do an initial test of a mqtt broker (ssl).
However right now I don't have the valid truststore certificates, however I would like to test the basic connectivity, ignoring SSL errors regarding hostname verification, certificate validation etc.
Unfortunately I am not successful, even with a broker I know it's working.
What I'm doing:
mosquitto_sub -h the_host -p 8883 -t '#' -v -u myUser -P myPass --insecure -d --capath /etc/ssl/certs
According to the manpage I just use the --capath to identify it's a TLS connection, well knowing that the necessary root certificate is not available here.
What I get is this:
Client mosqsub|11262-csbox sending CONNECT
Error: A TLS error occurred.
Any idea what I'm doing wrong?
Using --insecure just disables the verification of the hostname in the certificate presented by the broker. It does not remove the need to have a copy of the CA certificate that signed the brokers certificate.
So if /etc/ssl/certs doesn't contain a matching CA certificate then the connection will fail.
If needed you should be able to use something like openssl s_client to download the certificate chain directly from the broker, you can then point to that file with the --cafile option instead of the --capath option.

Facing Error while running mosquitto broker using TLS with mosquitto

I am trying to use TLS for communicating over mqtt. I have ubuntu installed in my system. For using TLS, I have created certificates using the below link:
http://www.embedded101.com/Blogs/PaoloPatierno/entryid/366/mqtt-over-ssl-tls-with-the-m2mqtt-library-and-the-mosquitto-broker
I am able to create certificates. I have removed bind_address from config file. I am starting mosquitto with the new config file with mosquitto -c mosquitto_m2mqtt.conf -v. Mosquitto starts, but when I run mosquitto_sub command, I am getting error as below:
mosquitto -c mosquitto_m2mqtt.conf -v
1551172930: mosquitto version 1.4.8 (build date 2016-09-21 11:21:45+0530) starting
1551172930: Config loaded from mosquitto_m2mqtt.conf.
1551172930: Opening ipv4 listen socket on port 8883.
1551172930: Opening ipv6 listen socket on port 8883.
Enter PEM pass phrase:
1551172960: New connection from 127.0.0.1 on port 8883.
1551172960: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
1551172960: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1551172960: Socket error on client <unknown>, disconnecting.
In the window that I am subscribing, I am getting error as below:
mosquitto_sub -p 8883 -q 1 -t sensor/temp --cafile /etc/mosquitto/m2mqtt_srv.crt --tls-version tlsv1 -d
Unable to connect (A TLS error occurred.).
Below are the parameters added in config file.
port 8883
cafile /etc/mosquitto/m2mqtt_ca.crt
certfile /etc/mosquitto/m2mqtt_srv.crt
keyfile /etc/mosquitto/m2mqtt_srv.key
tls_version tlsv1
mosquitto_sub and pub needs a host address or ip. For example i use test.mosquitto.org in my local, download the pem formatted certificate file from this site and added to the conf file just this certificate as "cafile". And here is my command:
mosquitto_sub -h test.mosquitto.org -t "test" -p 8883 --cafile "<pem formatted crt file path (downloaded from test.mosquitto.org)>"

Mosquitto TLS/SSL SSL3_READ_BYTES: ssl handshake failure, Error: Success and sslv3 alert

I tried following the guide shown by mosquitto but once I launch the mosquitto
mosquitto -c mosquitto.conf
which defines port, location of ca.crt, server.crt, server.key
then I followed similar step using the same CA file, to sign the client key and certificate.
Then launched client
mosquitto_pub -p [port] -h localhost --cafile [ca.crt filepath] -t "hello" -m "hello world"
when I do it like this without key and certificate I get
Error: Success
but when I do it with key and certificate
mosquitto_pub -p [port] -h localhost --cafile [ca.crt filepath] --cert [client.crt path] --key [client1.key path] t "hello" -m "hello world"
I get
Error:Success
On the server side I See the following errors
... routines:SSL3_READ_BYTES: sslv3 alert certificate unknown
... routines:SSL3_READ_BYTES: ssl handshake failure
I ran openssl commands to verify CA approves of both generated certificates, and it did.
It turns out, when entering the detail of the certificate, i mistake the common name section's purpose. After I set it to the ip address of the server, it all worked well
I was getting the same error. I tried to subscribe like this:
mosquitto_sub -h ip_address -p 8883 -t topic --cafile /etc/mosquitto/ca_certificates/ca.crt -d.
Replace ip_addres with your ip address that you wrote when you created certificate. In your question, you wrote localhost. If you replace it with ip address it will be work.