Same crtificate for NGINX and MQTT mosquitto

bjurkovic · June 27, 2017, 1:24pm

Please fill out the fields below so we can help you better.

I would like to reuse certificate for NGINX also for MQTT.

I have successfully enabled certificate on NGINX but I can’t use it for Mosquitto MQTT broker.

Is certificate limited to service (port) and I have to generate new or extend existing one for MQTT?

cpu · June 27, 2017, 1:32pm

Certificates have no concept of port or specific services. You can use the same certificate for multiple services using different ports as long as they both share the domain name(s) that are covered by the certificate.

I haven't used MQTT but I suspect you'll need to share your configuration & any errors that are being output for anyone to have ideas on how to help.

bjurkovic · June 27, 2017, 6:28pm

My mosquitto configuration:

listener 8883

cafile /etc/letsencrypt/live/cloud.letrikasol.com/chain.pem
certfile /etc/letsencrypt/live/cloud.letrikasol.com/cert.pem
keyfile /etc/letsencrypt/live/cloud.letrikasol.com/privkey.pem

tls_version tlsv1.2

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto_tls.log
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
log_type debug

connection_messages true

log_timestamp true

When I restart mosquitto service service reports:
1498587998: mosquitto version 1.4.12 (build date 2017-05-30 09:08:08+0000) starting
1498587998: Config loaded from /etc/mosquitto/mosquitto_tls.conf.
1498587998: Opening ipv4 listen socket on port 8883.
1498587998: Opening ipv6 listen socket on port 8883.
1498587998: Error: Unable to load CA certificates. Check cafile “/etc/letsencrypt/live/cloud.letrikasol.com/chain.pem”.

All Let’s encrypt files are on /etc/letsencrypt/live/cloud.letrikasol.com folder:
lrwxrwxrwx. 1 root root 44 Jun 27 10:37 cert.pem -> …/…/archive/cloud.letrikasol.com/cert1.pem
lrwxrwxrwx. 1 root root 45 Jun 27 10:37 chain.pem -> …/…/archive/cloud.letrikasol.com/chain1.pem
lrwxrwxrwx. 1 root root 49 Jun 27 10:37 fullchain.pem -> …/…/archive/cloud.letrikasol.com/fullchain1.pem
lrwxrwxrwx. 1 root root 47 Jun 27 10:37 privkey.pem -> …/…/archive/cloud.letrikasol.com/privkey1.pem

schoen · June 27, 2017, 6:32pm

According to the documentation, cafile is for something else (trusted root certificates), and it would probably be more correct to use capath /etc/ssl/certs on most systems.

This does raise the question of whether mosquitto gives you a way to serve intermediate certificates. You can try certfile /etc/letsencrypt/live/cloud.letrikasol.com/fullchain.pem and hope that it knows what to do with it; otherwise, you’ll probably be serving an incomplete chain and some clients may refuse to connect (which I would regard as a bug in mosquitto’s TLS support).

bjurkovic · June 27, 2017, 6:39pm

I changed cafile to cafile /etc/ssl/certs/ca-bundle.trust.crt and the configuration pass this directive, but fullchain.pem did not work.

1498588684: Error: Unable to load server certificate “/etc/letsencrypt/live/cloud.letrikasol.com/fullchain.pem”. Check certfile.

schoen · June 27, 2017, 6:47pm

So, I think there is probably a mosquitto bug that it doesn’t let you specify a certificate chain, only a leaf certificate. In current practice this is wrong behavior because end-entity certificates (for sites and servers) are only allowed to be issued by intermediate certificate authorities, not directly by root certificate authorities.

Sometimes people don’t notice this when connecting via web browsers, because the browsers can cache intermediate certificate authorities’ certificates that they’ve seen before. However, the correct practice would be to serve the complete chain, including any necessary intermediate CAs. That’s what fullchain.pem is for (as an alternative to separately specifying chain.pem).

schoen · June 27, 2017, 6:47pm

If you just specify cert.pem, mosquitto will possibly be willing to run, but you might get certificate validation errors on the client side.

bjurkovic · June 27, 2017, 6:56pm

Do you mean I don’t use cafile at all?

schoen · June 27, 2017, 6:59pm

You can use cafile (with the certificate bundle that you found), but it does something else and won’t help address this problem.

If you specify

certfile /etc/letsencrypt/live/cloud.letrikasol.com/cert.pem keyfile /etc/letsencrypt/live/cloud.letrikasol.com/privkey.pem

as you did before, I think mosquitto will be able to start running, but presumably serving an incomplete certificate chain, because we haven’t found a way to get it to serve the intermediate certificate.

bjurkovic · June 27, 2017, 7:03pm

I did this and it works. Now i just have to figure out how to connect client on broker.

bjurkovic · June 27, 2017, 7:45pm

Hi. I managed to include cafile back. The problem was in service file, where I was running as mosquitto user and not as root. Sorry for your time.

system · July 27, 2017, 7:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.