Error: Unable to load CA certificates

I installed mosquitto with snap but when I run mosquitto, I get error below:

I checked "/etc/letsencrypt/live/burooq.com/chain.pem" and it has valid contents.
My domain is:


I ran this command:
snap run mosquitto
It produced this output:
Found config in /var/snap/mosquitto/common/mosquitto.conf
1609159885: mosquitto version 1.6.12 starting
1609159885: Config loaded from /var/snap/mosquitto/common/mosquitto.conf.
1609159885: Opening ipv4 listen socket on port 1883.
1609159885: Opening ipv4 listen socket on port 8883.
1609159885: Opening ipv6 listen socket on port 8883.
1609159885: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/burooq.com/chain.pem".
1609159885: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
1609159885: OpenSSL Error[1]: error:2006D002:BIO routines:BIO_new_file:system lib
1609159885: OpenSSL Error[2]: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
My web server is (include version):
Linux
The operating system my web server runs on is (include version):
Unbuntu 18
My hosting provider, if applicable, is:
godaddy
I can login to a root shell on my machine (yes or no, or I don't know):
yes, all installed as root
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

1 Like

Hi @matrixall

if you have that error, your server doesn't send the intermediate certificate.

Use fullchain.pem instead of chain.pem. There the intermediate certificate is included.

Your port 443 sends both certificates.

1 Like

Looks like a permission problem. As which user is mosquitto running? What are the permissions of all the directories and files under /etc/letsencrypt?

Also, what is your TLS configuration for Mosquitto? It looks like you're using cafile, but I don't think that's required, as that config option is meant for client certificate authentication.

2 Likes

fullchain.pem produces the same error.

1 Like

everything was installed under root access.

1 Like

You might consider looking at _az's responses in this topic:

1 Like

it seems acl is not installed by default, I had to install it then I ran:

sudo setfacl -R -m u:THEUSER:rX /etc/letsencrypt/{live,archive}

But the issue still persists.

I changed THEUSER to root but it didn't work on root
I changed it to another account, it worked under that account

2 Likes