2.4 Embedded MQTT Broker - SSL > Connection refused

Hi all,

I’m on a fresh install of OH 2.4 via openhabian and struggle to activate SSL with the embedded MQTT broker.

Standard port 1883 without a user and password defined works. I can connect with my MQTT Client testing app and publish things.

When I set secure SSL connection I get “Connection refused” messages and can’t connect.
This is the log output after enabling Secure connection:

2019-02-08 16:25:45.574 [hingStatusInfoChangedEvent] - 'mqtt:systemBroker:embedded-mqtt-broker' changed from ONLINE to OFFLINE

2019-02-08 16:25:45.839 [hingStatusInfoChangedEvent] - 'mqtt:systemBroker:embedded-mqtt-broker' changed from OFFLINE to OFFLINE (CONFIGURATION_ERROR): Eine andere Erweiterung hat unerwartet die Broker Verbindung entfernt.

==> /var/log/openhab2/openhab.log <==

2019-02-08 16:25:45.846 [WARN ] [ver.DefaultMoquetteSslContextCreator] - The keystore path is null or empty. The SSL context won't be initialized.

2019-02-08 16:25:45.850 [ERROR] [.moquette.server.netty.NettyAcceptor] - Can't initialize SSLHandler layer! Exiting, check your configuration of jks

2019-02-08 16:25:47.891 [WARN ] [r.internal.EmbeddedBrokerServiceImpl] - Embedded broker offline - Reason unknown

==> /var/log/openhab2/events.log <==

2019-02-08 16:25:47.900 [me.event.ThingUpdatedEvent] - Thing 'mqtt:systemBroker:embedded-mqtt-broker' has been updated.

2019-02-08 16:25:47.904 [hingStatusInfoChangedEvent] - 'mqtt:systemBroker:embedded-mqtt-broker' changed from OFFLINE (CONFIGURATION_ERROR): Eine andere Erweiterung hat unerwartet die Broker Verbindung entfernt. to OFFLINE

==> /var/log/openhab2/openhab.log <==

2019-02-08 16:25:47.912 [INFO ] [.transport.mqtt.MqttBrokerConnection] - Starting MQTT broker connection to '' with clientid embedded-mqtt-broker and file store '/var/lib/openhab2/mqtt/'

==> /var/log/openhab2/events.log <==

2019-02-08 16:25:47.932 [hingStatusInfoChangedEvent] - 'mqtt:systemBroker:embedded-mqtt-broker' changed from OFFLINE to OFFLINE (COMMUNICATION_ERROR): Timeout
==> /var/log/openhab2/openhab.log <==
2019-02-08 16:25:47.930 [WARN ] [r.internal.EmbeddedBrokerServiceImpl] - Embedded broker offline
org.eclipse.paho.client.mqttv3.MqttException: Unable to connect to server
at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:94) ~[216:org.eclipse.paho.client.mqttv3:1.2.0]
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:103) ~[216:org.eclipse.paho.client.mqttv3:1.2.0]
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:701) [216:org.eclipse.paho.client.mqttv3:1.2.0]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:?]
at java.lang.Thread.run(Thread.java:748) [?:?]
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:?]
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:?]
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:?]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:?]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:?]
at java.net.Socket.connect(Socket.java:589) ~[?:?]
at org.eclipse.paho.client.mqttv3.internal.TCPNetworkModule.start(TCPNetworkModule.java:80) ~[?:?]
... 9 more

Is there anything else I would have to do to use SSL? Client is in the same network so i can’t be a problem with my router (opening ports etc.).

Documetation doesn’t mention anything… :confused:


The first thing you should do is upgrade to 2.5 Milestone 1. There were a number of bug discovered and fixed in the weeks immediately after the 2.4 release.

Beyond that, I think for the time being I would recommend setting up Mosquitto if you want to implement SSL/TLS connections to your broker.

You also need to ask yourself the question if you really need sales.
If all your mqtt devices are in your LAN then why bother?

I’ll do this now, thx!

You’re right. 7 devices are local, however I do have 3 remote devices. One ESP8266 in my office used for motion detection and temperature monitoring and two iPhones using Owntracks to publish their location data via MQTT.

The embedded broker just made it seem so easy to switch to a secure connection…
I will give mosquitto TLS a try.

The current recommended way to integrate OwnTracks is through the GPSTracker Binding, not MQTT these days.

If you are exposing your broker outside your local network then you should definitely not be useing the embedded broker. And I would strongly recommend using CloudMQTT (Vincent posted a great tutorial for how to work with that MQTT Binding and SSL though I don’t how much is still relevant with MQTT 2.x).

Securing MQTT is a much much bigger job than just enabling SSL/TLS. It would be far safer for you to let someone who’s time is dedicated to watching the broker for attacks and malicious behavior take that on rather than exposing your home network.

Thx rlkoshak!

I didn‘t know about the GPS Tracker binding. Have it configured and it‘s working great.
Concerning my remote devices… I‘ll look into cloudmqtt. Or maybe connecting both of my networks via a VPN tunnel :smile:

Mosquitto is the better option. We need to update the embedded broker first, the current version might have some security issues. It definitely is not made for external exposure at this point in time.

Cheers, David