Certificate verify failed - MQTT

My domain is: https://dashboard.digitalnut.co.uk/
My web server is (include version):
The operating system my web server runs on is (include version): Oracle Linux
I can login to a root shell on my machine - yes
I’m using a control panel to manage my site - no
The version of my client is certbot-auto v1.0.0
X------------------------X

I have a Grafana dashboard running at https://dashboard.digitalnut.co.uk:8443 using Letsencrypt certificates generated by Certbot. The certificates seem good, and https://check-your-website.server-daten.de/?q=dashboard.digitalnut.co.uk%3A8443 shows ‘chain complete’ so to me it looks as though the certificates are good & valid.

However… data is passed to Telegraf via MQTT on port 8883 (which is then displayed in Grafana), and I’m using the same Letsencrypt certificates to create a MQTT TLS connection.

My MQTT config in Telegraf includes;

 servers = ["ssl://digitalnut.co.uk:8883"]  (this is the brokers address)
 tls_ca = "/etc/telegraf/certs/chain.pem"
 tls_cert = "/etc/telegraf/certs/cert.pem"
 tls_key = "/etc/telegraf/certs/privkey.pem"

All 3 certificates are owned by telegraf:telegraf and permissions are 640.

This unfortunately will not connect to the (Mosquitto) MQTT broker, and the broker log shows;

1575910430: New connection from 140.238.70.129 on port 8883.
1575910430: OpenSSL Error: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

I have other TLS enabled connections successfully subscribing to the broker, which are also certified by Letsencrypt, so I just can’t understand why this one fails.

It sounds like Mosquitto is configured for authentication via client certificates.

This error:

Suggests to me that the client certificate being sent by Telegraf (probably tls_cert) does not meet the client authentication requirements laid out in your Mosquitto config.

Why? It is an odd thing to do to use Let's Encrypt-signed (or any public CA, really) certificates in a client authentication context.

But as I said above;

If they connect OK, why doesn't this?

Is there a reason why I shouldn't use Letsencrypt certificates for this purpose.

I am pretty new to TLS and indeed MQTT, so any advise would be welcome.

Well, to answer that, I'd want to see your Mosquitto config, so that we can compare what's configured with what you're expecting.

Well, what would it achieve? If you use Let's Encrypt certificates for client authentication, then literally anybody with any valid Let's Encrypt certificate could authenticate to Mosquitto.

To avoid that, you'd have to layer further authentication on top of it, which would make the upkeep of having valid Let's Encrypt certificates pointless, since self-signed certificates would do the same job.

That sounds like a convincing argument!

The reason I avoided self signed certs was that unlike Certbot/Letsencrypt, S/S certs need to be manually generated. But if that's the route I need to take....

Thank you

You may want to look into smallstep if you chose to run your own private CA for MQTT authentication.

Thanks Phil, I've just had a quick look, but will spend some time this evening reading through in detail.

So Telegraf is the client and Mosquitto the server? And the error is provided by the client, i.e. Telegraf? Let's Encrypt certificates can only be used by servers. So if Telegraf is the client which initiates the SSL connection (to the server Mosquitto), it doesn't need a LE cert! Only Mosquitto would be configured with a LE cert.

So why does Telegraf have the certificate path settings in its .conf file?

 tls_ca = "/etc/telegraf/certs/chain.pem"
 tls_cert = "/etc/telegraf/certs/cert.pem"
 tls_key = "/etc/telegraf/certs/privkey"

I'm not disputing what you say, I've just found this really difficult to get my head around.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.