Reputation: 875
Mosquitto on EC2 with TLS
Problem
I want to setup my MQTT broker on an AWS EC2 instance and connect to it with TLS.
I have the instance running and I can connect (pub/sub) to Mosquitto from my local machine successfully with vanilla unencrypted MQTT. When using TSL, I get the error tlsv1 alert unknown ca.
After many hours of reading and trying different tutorials and examples, I still can't figure this out. Here's what I did and in my (limited) understanding of certificates and encryption should work:
What I tried
Let's say my EC2 instance is available at host ec2-x.compute-1.amazonaws.com and IP 54.1.1.1. My local network's IP is 192.77.77.77.
SSH into EC2 and generate certificates using OwnTracks's generate-CA.sh in a directory ~/iot. I generate the certs issuuing
HOSTLIST="ec2-x.compute-1.amazonaws.com" IPLIST="54.1.1.1" bash ./generate-CA.sh ec2-x.compute-1.amazonaws.com
Certificate generation results in a bunch of files, namely
ca.crt ca.key ca.srl ec2-x.compute-1.amazonaws.com.crt ec2-x.compute-1.amazonaws.com.csr ec2-x.compute-1.amazonaws.com.key
Now I'm ready to configure my broker with mqtt.conf:
# mosquitto.conf listener 8883 pid_file /var/run/mosquitto.pid persistence true persistence_location /var/lib/mosquitto/ cafile ./ca.crt certfile ./ec2-x.compute-1.amazonaws.com.crt keyfile ./ec2-x.compute-1.amazonaws.com.key
Time to start the broker with mosquitto -c mqtt.conf.
In order to sub to the broker, I copy the content of ca.crt to my laptop and run mosquitto_sub -h ec2-x.compute-1.amazonaws.com -p 8883 --cafile ca.crt -t +.
Resulting error
What I get on the subscriber side is
Error: A TLS error occurred.
The server does realize there is a connection attempt happening but reacts with
1475320985: New connection from 192.77.77.77 on port 8883. 1475320986: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 1475320986: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure 1475320986: Socket error on client , disconnecting.
I've tried following guides step by step like this very good one or this one but to no avail.
Upvotes: 3
Views: 1845
Answers (1)
Reputation: 875
While I was writing this down, I realized that in my last attempt (which followed all the steps lined out above), I forgot to copy the ca.crt file to the client before trying to subscribe it to the broker.
With the wrong ca.crt file installed on the client (a different one from a previous attempt), the above unknown ca error makes a lot of sense. After copying the file to the client, it successfully connected with TLS to the broker on EC2.
I figured I'd still post the question as it took me some hours to figure all the details in all the steps out, and it might come in handy for others running into similar problems.
Upvotes: 5
Related Questions
- Mosquitto MQTT service failed to restart after adding SSL configuration
- Mosquitto broker and TLS configuration
- Mosquitto MQTT broker with TLS - client connection errors
- TLS/SSL encryption in MQTT Mosquitto is not working
- MQTT broker Mosquitto Error with TLS configuration
- Mosquitto MQTT and OpenSSL
- How to make the TLS work in MQTT via port 8883?
- connection wrong in TLS with mosquitto
- tls connection failure in mosquitto
- Mosquitto configuration for Websockets + TLS