MQTT broker Mosquitto Error with TLS configuration

Question

I'm trying to run MQTT broker (Mosquitto) with TLS support, I followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt to generate certificates and configuration. If I run

sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -d -v

It throws error in /var/log/mosquitto/mosquitto.log

mosquitto version 1.4.8 (build date Fri, 19 Feb 2016 12:03:16 +0100) starting
Config loaded from /etc/mosquitto/mosquitto.conf.
Opening ipv4 listen socket on port 8883.
Opening ipv6 listen socket on port 8883.
Error: Unable to load server key file "/etc/mosquitto/certs/mqtt_server.key". Check keyfile.

Here is my configuration in conf.d/mymqtt.conf

# MQTT over TLS/SSL
listener 8883
cafile /etc/mosquitto/ca_certificates/mqtt_ca.crt
certfile /etc/mosquitto/certs/mqtt_server.crt
keyfile /etc/mosquitto/certs/mqtt_server.key
require_certificate true
tls_version tlsv1.2
user mosquitto

And these certificate and key files are present in proper location

And here is the content of default mosquitto.conf

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d

Answer 1

For posterity: You get this error if the key doesn't match the certificate also. So remember to check that:

openssl rsa -noout -in -key.pem -modulus | openssl md5

should match

openssl x509 -noout -in cert.pem -modulus | openssl md5

I spent hours trying to fix this until I realised I'd mixed up the keys.

Answer 2

I ran into the same issue once and it was because the key was password protected. I changed the file settings so that the key file was readable only by a specific set of users and removed the password.