Please fill out the fields below so we can help you better.
My domain is:
letrikasol.com
I would like to reuse certificate for NGINX also for MQTT.
I have successfully enabled certificate on NGINX but I can’t use it for Mosquitto MQTT broker.
Is certificate limited to service (port) and I have to generate new or extend existing one for MQTT?
Hi @bjurkovic,
Certificates have no concept of port or specific services. You can use the same certificate for multiple services using different ports as long as they both share the domain name(s) that are covered by the certificate.
I haven't used MQTT but I suspect you'll need to share your configuration & any errors that are being output for anyone to have ideas on how to help.
My mosquitto configuration:
listener 8883
cafile /etc/letsencrypt/live/cloud.letrikasol.com/chain.pem
certfile /etc/letsencrypt/live/cloud.letrikasol.com/cert.pem
keyfile /etc/letsencrypt/live/cloud.letrikasol.com/privkey.pem
tls_version tlsv1.2
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto_tls.log
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
log_type debug
connection_messages true
When I restart mosquitto service service reports:
1498587998: mosquitto version 1.4.12 (build date 2017-05-30 09:08:08+0000) starting
1498587998: Config loaded from /etc/mosquitto/mosquitto_tls.conf.
1498587998: Opening ipv4 listen socket on port 8883.
1498587998: Opening ipv6 listen socket on port 8883.
1498587998: Error: Unable to load CA certificates. Check cafile “/etc/letsencrypt/live/cloud.letrikasol.com/chain.pem”.
All Let’s encrypt files are on /etc/letsencrypt/live/cloud.letrikasol.com folder:
lrwxrwxrwx. 1 root root 44 Jun 27 10:37 cert.pem -> …/…/archive/cloud.letrikasol.com/cert1.pem
lrwxrwxrwx. 1 root root 45 Jun 27 10:37 chain.pem -> …/…/archive/cloud.letrikasol.com/chain1.pem
lrwxrwxrwx. 1 root root 49 Jun 27 10:37 fullchain.pem -> …/…/archive/cloud.letrikasol.com/fullchain1.pem
lrwxrwxrwx. 1 root root 47 Jun 27 10:37 privkey.pem -> …/…/archive/cloud.letrikasol.com/privkey1.pem
According to the documentation, cafile is for something else (trusted root certificates), and it would probably be more correct to use capath /etc/ssl/certs on most systems.
This does raise the question of whether mosquitto gives you a way to serve intermediate certificates. You can try certfile /etc/letsencrypt/live/cloud.letrikasol.com/fullchain.pem and hope that it knows what to do with it; otherwise, you’ll probably be serving an incomplete chain and some clients may refuse to connect (which I would regard as a bug in mosquitto’s TLS support).
I changed cafile to cafile /etc/ssl/certs/ca-bundle.trust.crt and the configuration pass this directive, but fullchain.pem did not work.
1498588684: Error: Unable to load server certificate “/etc/letsencrypt/live/cloud.letrikasol.com/fullchain.pem”. Check certfile.
So, I think there is probably a mosquitto bug that it doesn’t let you specify a certificate chain, only a leaf certificate. In current practice this is wrong behavior because end-entity certificates (for sites and servers) are only allowed to be issued by intermediate certificate authorities, not directly by root certificate authorities.
Sometimes people don’t notice this when connecting via web browsers, because the browsers can cache intermediate certificate authorities’ certificates that they’ve seen before. However, the correct practice would be to serve the complete chain, including any necessary intermediate CAs. That’s what fullchain.pem is for (as an alternative to separately specifying chain.pem).
If you just specify cert.pem, mosquitto will possibly be willing to run, but you might get certificate validation errors on the client side.
Do you mean I don’t use cafile at all?
You can use cafile (with the certificate bundle that you found), but it does something else and won’t help address this problem.
If you specify
certfile /etc/letsencrypt/live/cloud.letrikasol.com/cert.pem keyfile /etc/letsencrypt/live/cloud.letrikasol.com/privkey.pem
as you did before, I think mosquitto will be able to start running, but presumably serving an incomplete certificate chain, because we haven’t found a way to get it to serve the intermediate certificate.
I did this and it works. Now i just have to figure out how to connect client on broker.
Hi. I managed to include cafile back. The problem was in service file, where I was running as mosquitto user and not as root. Sorry for your time.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.