mosquitto_sub with TLS enabled

Question

I am new to MQTT and I have a frustrating problem.

I have been using MQTT.fx to subscribe to a topic; I have set the:

• Broker Address
• Port
• Client ID
• Enable SSL/TLS
• Topic

This works well, however I would like to use mosquitto_sub. I am attempting to subscribe to the same topic in the following way:

mosquitto_sub -h  host -p 8883 -t topic -i client id

This is not working for me. I am using it on a Ubuntu VM.
My powers of observation tell me that I should enable TLS, however I'm not quite sure how to do that, I have stuffed around with certificates and enabling TLS in may ways but have not got the right combo. I know it is required as if I uncheck the SSL/TLS box in MQTT.fx I am unable to connect.

I would really like to replicate what I have in MQTT.fx with mosquitto.

Answer 1

i am aware of a 3rd way (short cut) which is using the flag --tls-use-os-certs

also as a side note, mosquitto_sub/pub also sends SNI within the tls connection request, which is great news if you are using SNI based routing on the broker side.

don't know if the MQTT standard actually prescribes this, but at least mosquitto client's implementation does support it

Answer 2

To enable SSL with mosquitto_sub you need to specify a CA certificate.

This can be done in 1 of 2 ways.

1. --cafile /path/to/a/file where the file contains the required trusted CA certificate (either on it's own or part of a concatenated set)
2. --capath /path/to/directory where the directory contains a collection of files ending in .crt which contain the CA certificates to be trusted. The ca certs should also be indexed with the c_rehash function.

Both these options are mentioned in the mosquito_sub man page as ways to enabled SSL

e.g.

mosquitto_sub -h host -p 8883 --cafile ca.crt -t topic -i client id

Answer 3

In the mosquitto_sub command, use the --capath argument to point to /etc/ssl/certs. It needs a pointer to the trusted certificates.