Hi,I am using letsencrypt with certbot-auto on an Ubuntu 14.04 server.My mqtt server (mosca) points to this certificate info.For some reason it seems to think this is a self-signed certificate.Is there something wrong I am doing when I generate the certificate?
How do you 'point' to the certificate in Mosca?
Does Mosca give you an exact, perhaps verbose, error message?
Hi... In mosca I point to the 2 files: '/etc/letsencrypt/live/myurl/privkey.pem', '/etc/letsencrypt/live/myurl/cert.pem',The error using the Paho mqtt client is:The error is WebSocket connection to 'wss://someurl:3443/' failed: Error in connection establishment: net::ERR_INSECURE_RESPONSEPaho.MQTT.ClientImpl._doConnect @ mqttws31.js:979Paho.MQTT.ClientImpl.connect @ mqttws31.js:849Client.connect @ mqttws31.js:1799$scope.connect @ admin.controller.js:181fn @ VM253:4expensiveCheckFn @ angular.js:16123callback @ angular.js:26490$eval @ angular.js:17913$apply @ angular.js:18013(anonymous) @ angular.js:26495defaultHandlerWrapper @ angular.js:3540eventHandler @ angular.js:3528angular.js:14110 onConnectFail:[AMQJS0007E Socket error:undefined.]If I use the mqtt,js client I need to set rejectUnauthorized: false flag.I then ran it using this node core basic: https://nodejs.org/api/https.html#https_https_createserver_options_requestlistenerThis worked if I used the cert in the options config and tested using curl and the --cacert flag using the fullchain.pem or vice versa.I then tried the basichttps://github.com/mcollina/mosca/wiki/MQTT-over-Websockets#separate-http-server. This does not work unless the client supports an insecure like mode like the mqtt.js rejectUnauthorized flag. The same attach method for an insecure http server works...This leads me to suspect the cert file is being interpreted as self signed when it is not.
What happens if you don't point at cert.pem, but at fullchain.pem?
I just tried a fullchain, fullchain permutation for the node.js https test and that works.I am going to try that for the wss test
Nope... No go!Only connects with the rejectUnauthorized flag
Hi... I'm so embarrassed. I finally worked out what was wrong. I was using IP addresses to connect to my wss interface. As I did not declare this when I created the certificate I got the following error:error: Error: Hostname/IP doesn't match certificate's altnames: "IP: xx.yy.zz is not in the cert's list: ".I have never created a cert before. Is this common practice to include the host IP address?
I don't know about common practice (I'm inclined to say "no"), but Let's Encrypt has opted to not allow IP addresses in their certificates, so even if you wanted to, with Let's Encrypt you can't
Aah... Thankx... At least I don't have to agonise about whether or not?