Reputation: 50
Mosquitto TLS - Connection Refused: not authorised
I am trying to set up my Raspberry pi 3B as an mqtt server using Mosquitto. I am following this tutorial: https://forums.raspberrypi.com/viewtopic.php?t=287326
I have got half way down the page to: "Now that the certificates are in place, the subscription client can be invoked using them while pointed at the broker. The broker will be at 192.168.1.140 on the same LAN." Where I am trying to connect a subscriber via TLS, but the connection is refused with message "Connection error: Connection Refused: not authorised."
I have used a private IP 192.168.2.215 for both the server and client. Is this possible?
My conf file are divided in two files:
authentication.conf:
allow_anonymous false
password_file /etc/mosquitto/passwd
encryption.conf:
listener 8883
cafile /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
keyfile /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
tls_version tlsv1.2
As far as I understand all the keys and certificates have been created. All the steps up until now have been successful.
The server is running I assume since a "systemctl status mosquitto " returns "...Started Mosquitto MQTT Broker" on the last line.
Here is my start up log:
1689408731: mosquitto version 2.0.11 terminating
1689408731: Saving in-memory database to /var/lib/mosquitto//mosquitto.db.
1689408731: mosquitto version 2.0.11 starting
1689408731: Config loaded from /etc/mosquitto/mosquitto.conf.
1689408731: Opening ipv4 listen socket on port 8883.
1689408731: Opening ipv6 listen socket on port 8883.
1689408731: Opening ipv4 listen socket on port 1883.
1689408731: Opening ipv6 listen socket on port 1883.
1689408731: mosquitto version 2.0.11 running
1689408760: New connection from 192.168.2.215:46250 on port 8883.
1689408760: Client <unknown> disconnected: Protocol error.
The log is after running:
sudo mosquitto_sub -v -h 192.168.2.215 -u xxx -P 'yyy' --key /etc/mosquitto/certs/listener03-client.crt --cert /etc/mosquitto/certs/listener03-client.crt --cafile /etc/mosquitto/certs/mqtt-server.crt -t 'temperatures' -p 8883 --tls-version tlsv1.2 -i listener03
Unable to connect (A TLS error occurred.).
After adding -d to the client command I get this:
sudo mosquitto_sub -v -d -h 192.168.2.215 -u xxx -P 'yyy' --key /etc/mosquitto/certs/listener03-client.crt --cert /etc/mosquitto/certs/listener03-client.crt --cafile /etc/mosquitto/certs/mqtt-server.crt -t 'temperatures' -p 8883 --tls-version tlsv1.2 -i listener03
In terminal:
Error: Unable to load client key file "/etc/mosquitto/certs/listener03-client.crt".
OpenSSL Error[0]: error:0909006C:PEM routines:get_name:no start line
OpenSSL Error[1]: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Unable to connect (A TLS error occurred.).
Added to /var/lib/mosquitto/mosquitto.log:
1689518781: New connection from 192.168.2.215:45280 on port 8883.
1689518781: Client <unknown> disconnected: Protocol error.
The listener03-client.crt file permissions are as follows:
-rw-r--r-- 1 root root 1099 14 jul 10.41 listener03-client.crt
Upvotes: 0
Views: 4174
Answers (2)
Reputation: 50
Wrong username/password:
I successfully tested step 2 in the tutorial and double checked I had the same user/password for step 3 (TLS-client). Don´t think I got the wrong user/passwd.
Certificate not signed:
I recreated the listener03-client.crt file and signed the key successfully:
xxx@raspberrypi:/etc/mosquitto/certs $ sudo su -c
'openssl x509
-req
-days 3650
-CA /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
-CAkey /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.key
-CAcreateserial
-in listener03-client.csr
-out listener03-client.crt
-extfile <(printf "subjectAltName=IP:192.168.2.215")'
In terminal (where country code is something else):
Signature ok
subject=C = COUNTRY CODE, CN = 192.168.2.215
Getting CA Private Key
Enter pass phrase for /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.key:
xxx@raspberrypi:/etc/mosquitto/certs $
And trying to connect a client:
sudo mosquitto_sub -v -d
-h 192.168.2.215
-u xxx -P 'yyy'
--key /etc/mosquitto/certs/listener03-client.key
--cert /etc/mosquitto/certs/listener03-client.crt
--cafile /etc/mosquitto/certs/mqtt-server.crt -t 'temperatures' -p 8883
--tls-version tlsv1.2 -i listener03
Client listener03 sending CONNECT
Client listener03 received CONNACK (5)
Connection error: Connection Refused: not authorised.
Client listener03 sending DISCONNECT
I understand that the CONNACK from the server is not accepting my client to connect. I will reinstall everything from scratch on the Raspberry Pi and get back with results, may be a while.
Upvotes: 0
Reputation: 59866
Certificates != Keys
mosquitto_sub -v -d -h 192.168.2.215 -u xxx -P 'yyy' \
--key /etc/mosquitto/certs/listener03-client.crt \
--cert /etc/mosquitto/certs/listener03-client.crt \
--cafile /etc/mosquitto/certs/mqtt-server.crt \
-t 'temperatures' -p 8883 --tls-version tlsv1.2 -i listener03
You have passed the same file for both the --cert and --key arguments. These files should be different things.
The key file should be the private key listener03-client.key not the listener03-client.crt
Upvotes: 1
Related Questions
- mosquitto MQTT: No connection could be made because the target machine actively refused it
- Secure bridge between a local mosquito and Watson-iot
- Unable to connect to Mosquitto over Websocket
- How do I set up TLS on a mosquitto (MQTT) broker?
- Secured SSL connection with Mosquitto Broker
- Secure Mosquitto Websockets
- Mosquitto not working over TLS on Raspberry Pi