Error: Unable to load CA certificates

matrixall · December 28, 2020, 12:58pm

I installed mosquitto with snap but when I run mosquitto, I get error below:

I checked "/etc/letsencrypt/live/burooq.com/chain.pem" and it has valid contents.
My domain is:

I ran this command:
snap run mosquitto
It produced this output:
Found config in /var/snap/mosquitto/common/mosquitto.conf
1609159885: mosquitto version 1.6.12 starting
1609159885: Config loaded from /var/snap/mosquitto/common/mosquitto.conf.
1609159885: Opening ipv4 listen socket on port 1883.
1609159885: Opening ipv4 listen socket on port 8883.
1609159885: Opening ipv6 listen socket on port 8883.
1609159885: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/burooq.com/chain.pem".
1609159885: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
1609159885: OpenSSL Error[1]: error:2006D002:BIO routines:BIO_new_file:system lib
1609159885: OpenSSL Error[2]: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
My web server is (include version):
Linux
The operating system my web server runs on is (include version):
Unbuntu 18
My hosting provider, if applicable, is:
godaddy
I can login to a root shell on my machine (yes or no, or I don't know):
yes, all installed as root
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

JuergenAuer · December 28, 2020, 1:07pm

Hi @matrixall

if you have that error, your server doesn't send the intermediate certificate.

Use fullchain.pem instead of chain.pem. There the intermediate certificate is included.

Your port 443 sends both certificates.

Osiris · December 28, 2020, 1:29pm

Looks like a permission problem. As which user is mosquitto running? What are the permissions of all the directories and files under /etc/letsencrypt?

Also, what is your TLS configuration for Mosquitto? It looks like you're using cafile, but I don't think that's required, as that config option is meant for client certificate authentication.

matrixall · December 28, 2020, 5:19pm

fullchain.pem produces the same error.

matrixall · December 28, 2020, 5:21pm

everything was installed under root access.

griffin · December 28, 2020, 5:24pm

You might consider looking at _az's responses in this topic:

matrixall · December 28, 2020, 5:32pm

it seems acl is not installed by default, I had to install it then I ran:

sudo setfacl -R -m u:THEUSER:rX /etc/letsencrypt/{live,archive}

But the issue still persists.

I changed THEUSER to root but it didn't work on root
I changed it to another account, it worked under that account

Topic		Replies	Views
Mosquitto suddenly cannot load certificates Help	94	8195	November 9, 2020
Mosquitto with letsencrypt certaficat error :connection refused Help	14	4420	November 24, 2020
How to get Letsencrypt working with the Mosquitto MTTQ broker Help	9	244	April 16, 2026
MQTT SSL certificate expired Help	14	6678	November 19, 2021
Same crtificate for NGINX and MQTT mosquitto Help	11	7043	July 27, 2017

Error: Unable to load CA certificates

Related topics