stackoom
  简体   繁体   中英

How do I set up TLS on a mosquitto (MQTT) broker?

 原文  2016-02-29 18:22:31       ssl/ server/ mqtt/ mosquitto/ tls1.2

Question

I got mosquitto working, using plain old TCP but i want to secure it using SSL and TLS, so i followed the following guide to create the certificates for my mosquitto broker:

https://mosquitto.org/man/mosquitto-tls-7.html

Then I added the following lines to the config file: 

listener 8883
cafile /mqtt/certs/ca.crt
certfile /mqtt/certs/server.crt
keyfile /mqtt/certs/server.key
require_certificate false

But now when i try to use mosquitto_sub on another machine to try to connect to the mosquitto broker over port 8883 (TLS), i get the following error on the broker 

New connection from XX.XXX.XXX.XXX on port 8883.
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client <unknown>, disconnecting.

I've tried doing the mosquitto_sub the following ways: 

$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt
$ mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --cert client.crt --key client.key

And the certificates on the client side were generated based on the first link i mentioned earlier.

Anyone know why this is happening and how I can go about fixing it?

2 answers

solution1
 3 ACCPTED  2017-01-18 16:40:44

This is the good way to subscribe as you do not require client certificate : 

 mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt

It seems that the client fail to verify the server certificate. You should make sure that :

  • ca.crt is the same on client and server side
  • the common name of your server certificate corresponds to its hostname

Also check if you have the same openssl version on server and client side as this error could also happen if client and server do not use a common protocol or do not share any cypher

hope it could help, else I will be interested to know how you solved this problem

solution2
 1  2017-04-19 15:48:25

尝试--insecure选项。 

mosquitto_sub -h "HOST_HERE.com" -t "sup" -p 8883 --cafile ca.crt --insecure

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Error SSL/TLS connection in MQTT with mosquitto broker mosquitto MQTT broker and Java client with SSL / TLS Issues connecting to mosquitto broker with node mqtt client via SSL/TLS ngx-mqtt connect via webapp to SSL/TLS mosquitto broker How do you set up encrypted mosquitto broker like a webpage which has https? MQTT mosquitto - set up client for intermediate CA How can I create a PSK connection between the Eclipse PAHO Java MQTT client and the Mosquitto broker? Access self signed X509certificates in XamarinForms for mqtt TLS connection to a Mosquitto broker mosquitto mqtt broker tls problem. IP doesn not match certificate's altnames Getting AuthenticationException when connect M2Mqtt.MqttClient to Mosquitto broker with TLS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM