Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] odd TLS errors

I am seeing strange SSL errors on connections from a nodemcu sensor:

  1620579609: OpenSSL Error[0]: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error

While I'll be looking into this more, I wanted to write to say:

  if you run TLS, you might want to check that your nodes are connected
  as you expect

  if this rings a bell for anyone, clues would be appreciated.

The long version:

I have a broker running on a VPS under NetBSD 9_stable.  It was 1.6.12
until yesterday, and all was well.  I have two mosquitto instances
bridging to it, a few instances of mosquitto_pub, a custom script using
paho python to report UPS status, and an ESP8266 running nodemcu.  All
mqtt connections are via TLS and there are no websockets involved.

Yesterday, my letsencrypt cert on one of the bridges expired, because I
hadn't made the hook script copy the cert into place and chown it;
before mosquitto 2.0.x it could read the live/ dir directly.  I fixed
that up and that machine was fine.  This was simply user error on my

I then modified the VPS broker config preparory to upgrading, putting
the certs in the new place, adjusting the hook script, and so on -- but
still 1.6.12.

Today at around 0500, the letsencrypt cert was renewed on the VPS (that
and the expiration of the other machine yesterday is just a
coincidence).  mosquitto was HUP'd.

However, starting then there were connection isuses from the ESP8266.  I
gave up debugging it after a brief time and did an update of packages,
rebooted, etc.  After straightening out stuff I should have gotten right
(e.g. mosquitto user needs to be able to read acl/pw files in 2.0.x),
things are mostly ok.

However, the ESP8266 is not connecting.   It's at someone else's house,
on wifi via a comcast router, and hence NAT, but that hasn't changed
recently.  My logs show:

1620579609: New connection from A.B.C.D:1630 on port 8883.
1620579609: OpenSSL Error[0]: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error
1620579609: Client <unknown> disconnected: Protocol error.

and then the ESP8266 will reboot as it does on any error and try again.

I have similar devices connected to one of the bridged brokers and those
are fine, but that broker's cert was renewed on April 11.

So I wonder if there is some new hash/keylength/whatever in letsencrypt,
and the nodemcu doesn't like that, or something else.

I tried allowing tlsv1.1 on the broker, since it seems the default is
tlsv1.2 and up.  That didn't change the ESP8266 connect behavior.

I'll post an update if I figure it out, but if anything jumps out at you
clues are most welcome.


Attachment: signature.asc
Description: PGP signature

Back to the top