Please fill out the fields below so we can help you better.
My domain is:
I would like to reuse certificate for NGINX also for MQTT.
I have successfully enabled certificate on NGINX but I can’t use it for Mosquitto MQTT broker.
Is certificate limited to service (port) and I have to generate new or extend existing one for MQTT?
Certificates have no concept of port or specific services. You can use the same certificate for multiple services using different ports as long as they both share the domain name(s) that are covered by the certificate.
I haven't used MQTT but I suspect you'll need to share your configuration & any errors that are being output for anyone to have ideas on how to help.
My mosquitto configuration:
log_dest file /var/log/mosquitto/mosquitto_tls.log
When I restart mosquitto service service reports:
1498587998: mosquitto version 1.4.12 (build date 2017-05-30 09:08:08+0000) starting
1498587998: Config loaded from /etc/mosquitto/mosquitto_tls.conf.
1498587998: Opening ipv4 listen socket on port 8883.
1498587998: Opening ipv6 listen socket on port 8883.
1498587998: Error: Unable to load CA certificates. Check cafile “/etc/letsencrypt/live/cloud.letrikasol.com/chain.pem”.
All Let’s encrypt files are on /etc/letsencrypt/live/cloud.letrikasol.com folder:
lrwxrwxrwx. 1 root root 44 Jun 27 10:37 cert.pem -> …/…/archive/cloud.letrikasol.com/cert1.pem
lrwxrwxrwx. 1 root root 45 Jun 27 10:37 chain.pem -> …/…/archive/cloud.letrikasol.com/chain1.pem
lrwxrwxrwx. 1 root root 49 Jun 27 10:37 fullchain.pem -> …/…/archive/cloud.letrikasol.com/fullchain1.pem
lrwxrwxrwx. 1 root root 47 Jun 27 10:37 privkey.pem -> …/…/archive/cloud.letrikasol.com/privkey1.pem
According to the documentation,
cafile is for something else (trusted root certificates), and it would probably be more correct to use
capath /etc/ssl/certs on most systems.
This does raise the question of whether mosquitto gives you a way to serve intermediate certificates. You can try
certfile /etc/letsencrypt/live/cloud.letrikasol.com/fullchain.pem and hope that it knows what to do with it; otherwise, you’ll probably be serving an incomplete chain and some clients may refuse to connect (which I would regard as a bug in mosquitto’s TLS support).
I changed cafile to cafile /etc/ssl/certs/ca-bundle.trust.crt and the configuration pass this directive, but fullchain.pem did not work.
1498588684: Error: Unable to load server certificate “/etc/letsencrypt/live/cloud.letrikasol.com/fullchain.pem”. Check certfile.
So, I think there is probably a mosquitto bug that it doesn’t let you specify a certificate chain, only a leaf certificate. In current practice this is wrong behavior because end-entity certificates (for sites and servers) are only allowed to be issued by intermediate certificate authorities, not directly by root certificate authorities.
Sometimes people don’t notice this when connecting via web browsers, because the browsers can cache intermediate certificate authorities’ certificates that they’ve seen before. However, the correct practice would be to serve the complete chain, including any necessary intermediate CAs. That’s what
fullchain.pem is for (as an alternative to separately specifying
If you just specify
cert.pem, mosquitto will possibly be willing to run, but you might get certificate validation errors on the client side.
Do you mean I don’t use cafile at all?
You can use
cafile (with the certificate bundle that you found), but it does something else and won’t help address this problem.
If you specify
certfile /etc/letsencrypt/live/cloud.letrikasol.com/cert.pem keyfile /etc/letsencrypt/live/cloud.letrikasol.com/privkey.pem
as you did before, I think mosquitto will be able to start running, but presumably serving an incomplete certificate chain, because we haven’t found a way to get it to serve the intermediate certificate.
I did this and it works. Now i just have to figure out how to connect client on broker.
Hi. I managed to include cafile back. The problem was in service file, where I was running as mosquitto user and not as root. Sorry for your time.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.