Protocol Error upon connecting Mosquitto to TwinCAT 3 with SSL certificate authentication

Question

I am new to MQTT and I would like to connect Mosquitto with TwinCAT 3 in Windows through MQTT along with SSL certificate authentication but Mosquitto prompts protocol error when connecting with TwinCAT 3.

I have generated SSL certificates through OpenSSL and the command lines I used is as below:

Generate certificate and key for CA

openssl req -x509 -newkey rsa:4096 -days 365 -keyout ca-key.pem -out ca-cert.pem -nodes

Generate key and CSR for MQTT client

openssl req -newkey rsa:4096 -keyout client-key.pem -out client-req.pem -nodes

Sign CSR with CA

openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem

I have created a new folder in the mosquitto program files to save all the certificates and keys generated.

I have edited the Mosquitto.conf config files to run the MQTT broker on local host port 8883 with the SSL certificate authentication.

listener 8883
protocol mqtt
require_certificate true
cafile C:\Program Files\mosquitto\certs\ca-cert.pem
keyfile C:\Program Files\mosquitto\certs\client-key.pem
certfile C:\Program Files\mosquitto\certs\client-cert.pem

Next, I setup a publishing client on the TwinCAT 3 PLC software by using the codes below:

PROGRAM MAIN
VAR
    fbMqttClient: FB_IotMqttClient;
    TopicToPublish : STRING(255) := 'Temperatures';
    MessageToPublish : STRING(255);
    fbSendMessageIntervalTimer : TON := (PT:=T#1S);
    ai_RoomTemperature AT %I* : INT;
END_VAR

IF _TaskInfo[GETCURTASKINDEXEX()].FirstCycle THEN
    fbMqttClient.sHostName := '127.0.0.1';
    fbMqttClient.nHostPort := 8883;
    fbMqttClient.sTopicPrefix := '';
    fbMqttClient.sClientId := 'Publishing PLC';
    fbMqTTClient.stTLS.sCert := 'C:\Program Files\mosquitto\certs\client-cert.pem';
    fbMqTTClient.stTLS.sKeyFile := 'C:\Program Files\mosquitto\certs\client-key.pem';
    fbMqTTClient.stTLS.sCA := 'C:\Program Files\mosquitto\certs\ca-cert.pem';
    fbMqTTClient.stTLS.bNoServerCertCheck := TRUE;
END_IF
 
fbMqttClient.Execute(bConnect := TRUE);
 
IF fbMqttClient.bConnected THEN
    fbSendMessageIntervalTimer(IN:=TRUE);
    IF fbSendMessageIntervalTimer.Q THEN
        fbSendMessageIntervalTimer(IN:=FALSE);
        MessageToPublish := CONCAT('Room temperature: ',REAL_TO_STRING(ai_RoomTemperature / 10.0));
     
        fbMqttClient.Publish(sTopic:= TopicToPublish,
            pPayload:= ADR(MessageToPublish),
            nPayloadSize:= LEN2(ADR(MessageToPublish))+1,
            eQoS:= TcIotMqttQos.AtMostOnceDelivery,
            bRetain:= FALSE,
            bQueue:= FALSE);
    END_IF
END_IF

By executing mosquitto -c mosquitto.conf -v in mosquitto and start the program in TwinCAT, the following errors prompted in the Mosquitto.

1665110106: New connection from 127.0.0.1:63409 on port 8883.
1665110106: Client <unknown> disconnected due to protocol error.

Do anyone knows what is the issue that causes the error and how do I troubleshoot the error?

I have also tested the connection between Mosquitto and TwinCAT 3 without using the certificate authentication. The connection is achievable and the outcome is as below:

1665110793: New connection from 127.0.0.1:63889 on port 8883.
1665110793: New client connected from 127.0.0.1:63889 as Publishing PLC (p2, c1, k60).
1665110793: No will message specified.
1665110793: Sending CONNACK to Publishing PLC (0, 0)
1665110794: Received PUBLISH from Publishing PLC (d0, q0, r0, m0, 'Temperatures', ... (22 bytes))
1665110795: Received PUBLISH from Publishing PLC (d0, q0, r0, m0, 'Temperatures', ... (22 bytes))

I hope there is someone that could help me on this issue. Your help would be much appreciated. Thanks in advance.

Answer 1

Usually there is something wrong with the certificate hierarchy or the certain file types you use. For test purposes I always use xca tool, which provides a nice gui for creating certificate chains and is less error prone than the cli. You can also try to connect with mqttFX first.