[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [mosquitto-dev] Mosquitto over SSL refuses publishing message
|
Aman Alam <shekh.aman@xxxxxxxxx> writes:
> listener 8883
> certfile /etc/letsencrypt/live/my-domain.xyz/cert.pem
> cafile /etc/letsencrypt/live/my-domain.xyz/chain.pem
> keyfile /etc/letsencrypt/live/my-domain.xyz/privkey.pem
> "
I would recommend that you read about and understand x.509/pkix.
It's hard to debug TLS things without understanding the big picture.
While moquitto.conf says
certfile file path
Path to the PEM encoded server certificate.
I found that it's necessary to use "fullchain" with certfile, rather
than "cert". I think this is therefore a documentation bug. Or perhaps
it's just underspecified, and mosquitto will happily read the certfile
and send exactly the certs in it. Depending on whether there are
intermediate certificates present, and whether the validator has those
configured as trust anchors, validation may fail.
Of course, mosquitto has to be able to read all the files you point it
at. Until it starts without errors in the log (read every line and
understand it), you should of course resolve that before trying to
connect.
mosquitto.conf also says
cafile file path
At least one of cafile or capath must be provided to enable SSL
support.
cafile is used to define the path to a file containing the PEM
encoded CA certificates that are trusted.
capath directory path
At least one of cafile or capath must be provided to enable SSL
support.
capath is used to define a directory that contains PEM encoded CA
certificates that are trusted. For capath to work correctly, the
certificates files must have ".pem" as the file ending and you must
run "openssl rehash <path to capath>" each time you add/remove a
certificate.
which is confusing when one is trying to turn on TLS on a listener but
not have inbound client certificates. I would rewrite this as
cafile /path/to/ca-file.pem
cafile is used to define the path to a file containing a set
of trust anchor certificates in PEM format. This can be a
single CA, if one wishes. It could also be
ca-certificates.crt from the mozilla rootcerts bundle, if one
wishes to accept certificates signed by any CA allowed by
mozilla.
In addition to setting the trust anchor path for validating
certificates, setting cafile for a listener causes the
listener to operate in TLS mode. Thus it is necessary to
set cafile (or capath) to listen in TLS, even if client
certificates are not used.
capath /path/to/ca-dir
capath is like cafile, except that instead of file with all
trust anchor certificates, it refers to an openssl-format
certificate directory with PEM-encoded files containing CA
certificates. The certificate files must have ".pem" as the
file ending, and must have symlinks named by their hashes.
These symlinks are typically created by running "openssl
rehash /path/to/c-adir" each time you add or remove a
certificate.
capath also enables TLS on a listener; see cafile for
discussion.