Mosca letsencrypt

buff · February 15, 2017, 6:36pm

Hi,
I am using letsencrypt with certbot-auto on an Ubuntu 14.04 server.
My mqtt server (mosca) points to this certificate info.
For some reason it seems to think this is a self-signed certificate.
Is there something wrong I am doing when I generate the certificate?

Osiris · February 15, 2017, 6:58pm

How do you ‘point’ to the certificate in Mosca?

Does Mosca give you an exact, perhaps verbose, error message?

buff · February 16, 2017, 9:06pm

Hi… In mosca I point to the 2 files:
’/etc/letsencrypt/live/myurl/privkey.pem’,
’/etc/letsencrypt/live/myurl/cert.pem’,
The error using the Paho mqtt client is:
The error is WebSocket connection to ‘wss://someurl:3443/’ failed: Error in connection establishment: net::ERR_INSECURE_RESPONSE
Paho.MQTT.ClientImpl._doConnect @ mqttws31.js:979
Paho.MQTT.ClientImpl.connect @ mqttws31.js:849
Client.connect @ mqttws31.js:1799
$scope.connect @ admin.controller.js:181
fn @ VM253:4
expensiveCheckFn @ angular.js:16123
callback @ angular.js:26490
$eval @ angular.js:17913
$apply @ angular.js:18013
(anonymous) @ angular.js:26495
defaultHandlerWrapper @ angular.js:3540
eventHandler @ angular.js:3528
angular.js:14110 onConnectFail:[AMQJS0007E Socket error:undefined.][7]
If I use the mqtt,js client I need to set rejectUnauthorized: false flag.
I then ran it using this node core basic: https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
This worked if I used the cert in the options config and tested using curl and the --cacert flag using the fullchain.pem or vice versa.
I then tried the basichttps://github.com/mcollina/mosca/wiki/MQTT-over-Websockets#separate-http-server. This does not work unless the client supports an insecure like mode like the mqtt.js rejectUnauthorized flag. The same attach method for an insecure http server works…
This leads me to suspect the cert file is being interpreted as self signed when it is not.

Osiris · February 16, 2017, 9:08pm

What happens if you don’t point at cert.pem, but at fullchain.pem?

buff · February 16, 2017, 9:10pm

I just tried a fullchain, fullchain permutation for the node.js https test and that works.
I am going to try that for the wss test

buff · February 16, 2017, 9:16pm

Nope… No go!
Only connects with the rejectUnauthorized flag

buff · February 17, 2017, 12:12pm

Hi… I’m so embarrassed. I finally worked out what was wrong. I was using IP addresses to connect to my wss interface. As I did not declare this when I created the certificate I got the following error:
error: Error: Hostname/IP doesn’t match certificate’s altnames: "IP: xx.yy.zz is not in the cert’s list: ".
I have never created a cert before. Is this common practice to include the host IP address?

Osiris · February 17, 2017, 1:11pm

I don't know about common practice (I'm inclined to say "no"), but Let's Encrypt has opted to not allow IP addresses in their certificates, so even if you wanted to, with Let's Encrypt you can't

buff · February 17, 2017, 1:13pm

Aah… Thankx… At least I don’t have to agonise about whether or not?

system · March 19, 2017, 1:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.