Mosca letsencrypt


#1

Hi,
I am using letsencrypt with certbot-auto on an Ubuntu 14.04 server.
My mqtt server (mosca) points to this certificate info.
For some reason it seems to think this is a self-signed certificate.
Is there something wrong I am doing when I generate the certificate?


#2

How do you ‘point’ to the certificate in Mosca?

Does Mosca give you an exact, perhaps verbose, error message?


#3

Hi… In mosca I point to the 2 files:
’/etc/letsencrypt/live/myurl/privkey.pem’,
’/etc/letsencrypt/live/myurl/cert.pem’,
The error using the Paho mqtt client is:
The error is WebSocket connection to ‘wss://someurl:3443/’ failed: Error in connection establishment: net::ERR_INSECURE_RESPONSE
Paho.MQTT.ClientImpl._doConnect @ mqttws31.js:979
Paho.MQTT.ClientImpl.connect @ mqttws31.js:849
Client.connect @ mqttws31.js:1799
$scope.connect @ admin.controller.js:181
fn @ VM253:4
expensiveCheckFn @ angular.js:16123
callback @ angular.js:26490
$eval @ angular.js:17913
$apply @ angular.js:18013
(anonymous) @ angular.js:26495
defaultHandlerWrapper @ angular.js:3540
eventHandler @ angular.js:3528
angular.js:14110 onConnectFail:[AMQJS0007E Socket error:undefined.][7]
If I use the mqtt,js client I need to set rejectUnauthorized: false flag.
I then ran it using this node core basic: https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
This worked if I used the cert in the options config and tested using curl and the --cacert flag using the fullchain.pem or vice versa.
I then tried the basichttps://github.com/mcollina/mosca/wiki/MQTT-over-Websockets#separate-http-server. This does not work unless the client supports an insecure like mode like the mqtt.js rejectUnauthorized flag. The same attach method for an insecure http server works…
This leads me to suspect the cert file is being interpreted as self signed when it is not.


#4

What happens if you don’t point at cert.pem, but at fullchain.pem?


#5

I just tried a fullchain, fullchain permutation for the node.js https test and that works.
I am going to try that for the wss test


#6

Nope… No go!
Only connects with the rejectUnauthorized flag


#7

Hi… I’m so embarrassed. I finally worked out what was wrong. I was using IP addresses to connect to my wss interface. As I did not declare this when I created the certificate I got the following error:
error: Error: Hostname/IP doesn’t match certificate’s altnames: "IP: xx.yy.zz is not in the cert’s list: ".
I have never created a cert before. Is this common practice to include the host IP address?


#8

I don’t know about common practice (I’m inclined to say “no”), but Let’s Encrypt has opted to not allow IP addresses in their certificates, so even if you wanted to, with Let’s Encrypt you can’t :slight_smile:


#9

Aah… Thankx… At least I don’t have to agonise about whether or not?


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.