stackoom
  简体   繁体   中英

mosquitto-clients and broker running on SSL

 原文  2016-02-29 01:29:17       ssl/ mqtt/ mosquitto

Question

I've managed to setup a broker using SSL using Let's Encrypt certs.

I've tried testing a websockets client connecting to wss://broker:9002/mqtt , and it's working. I've also tried using mqtt.js command-line interface to subscribe to a topic on the broker mqtts://broker:8883/mqtt successfully.

However, I can't get mosquitto_sub and mosquitto_pub to work. I tried with, 

$ mosquitto_sub -h www.my-host.com.ar -p 8883 -t hello -d --cafile fullchain.pem
Client mosqsub/21069-atlantis sending CONNECT
Error: A TLS error occurred.

where fullchain.pem is the same ca cert that's on the server.

The mosquitto.log's broker shows, 

1456709201: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1456709201: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1456709201: Socket error on client <unknown>, disconnecting.
1456709206: New connection from <my-ip> on port 8883.

What could be happening? I didn't provide any cert for mqtt.js lib...

This is my broker conf (splitted in two files), 

#################################
# /etc/mosquitto/mosquitto.conf #
#################################
pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

listener 1883

listener 8883
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem

include_dir /etc/mosquitto/conf.d

#############################################
# /etc/mosquitto/conf.d/websockets_ssl.conf #
#############################################
listener 9002
protocol websockets
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem

1 answers

solution1
 0  2016-02-29 14:12:51

Try adding "--insecure" at the end of the mosquitto_sub and mosquitto_pub commands. This allows the clients to bypass the check that matches the certificate hostname with the remote host name. I've had to do this with some of the self-signed certs that I generated.

Here is the relevant comments from the "--help" for those commands: 

--insecure : do not check that the server certificate hostname matches the remote
             hostname. Using this option means that you cannot be sure that the
             remote host is the server you wish to connect to and so is insecure.
             Do not use this option in a production environment.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Secured SSL connection with Mosquitto Broker Mosquitto broker with SSL encryption for bridge connection mosquitto MQTT broker and Java client with SSL / TLS Error SSL/TLS connection in MQTT with mosquitto broker Question regarding SSL Authentication on Mosquitto MQTT Broker Facing Error while running mosquitto broker using TLS with mosquitto ssl3 alert certificate unknown on Android studio to mosquitto broker Issues connecting to mosquitto broker with node mqtt client via SSL/TLS ngx-mqtt connect via webapp to SSL/TLS mosquitto broker Configuring MQTT broker(Mosquitto) to use SSL Encryption isn't working
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM