Thanks for the quick reply.
The first step in this tutorial (Configure TLS on the Mosquitto broker) refers to the page I was referring to, where I am stuck. Any way, this is what I’ve tried now:
I have generated the following commands:
openssl req -new -x509 -days 1000 -extensions v3_ca -keyout ca.key -out ca.crt
openssl genrsa -des3 -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000
openssl genrsa -des3 -out client.key 2048
openssl req -out client.csr -key client.key -new
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 1000
This has produced the following files:
ca.crt, ca.key, ca.srl, client.crt, client.csr, client.key, server.crt, server.csr, server.key.
I have changed mosquitto.conf to:
listener 1883 192.168.X.X
listener 8883 192.168.X.X
I stopped/started mosquitto.
In my Owntracks app, I have made the following changes:
- Port: 8883;
- TLS: yes;
- CA certificate: ca.crt
- Client certificate: client.crt
- Client certificate password: the password I used when generating all these files;
When connecting, I now get “java.io.IOException: stream does not represent a PKCS12 key store” in my Owntracks app.
Anyone an idea what I did wrong or how I can troubleshoot?
I think I have made some progress. Reading this page, made me do the following:
I generated a P12 file using:
openssl pkcs12 \
-in client.crt \
-inkey client.key \
-name "MQTT certificate/key" \
In the Owntracks app in the field “Client certificate” I selected the generated client.p12 file.
Now I have a different error message:
“Unable to connect to server (32103) - java.net.Connectexception: Connection refused.”
Sorry, it seems that at a certain point I’m stuck. I update this thread with info and then I get another idea.
So the connect refused thing is because the mosquitto-instance didn’t want to start anymore using “/usr/sbin/service mosquitto start”. When I manually start it using “/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf” it work. But it asks for the PEM pass phrase.
=> How can I start mosquitto as a service now?
After entering that PEM pass phrase, I now see what is happening:
1504438810: New connection from 192.168.3.2 on port 1883.
1504438810: New client connected from 192.168.3.2 as openhab (c1, k60, u'daendekerk').
1504438836: New connection from 184.108.40.206 on port 8883.
1504438836: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
1504438836: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1504438836: Socket error on client <unknown>, disconnecting.
So openhab connects fine (not using TLS). But when I want to connect using the owntracks app on my phone I get a handshake failed.
On my phone, I see “MqttException (0) - javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found”.
I’m getting there.
So I practically started all over again. I removed all files in /certs (CA, client, server).
I ran this script to generate the CA and server files. Then I ran the same script with parameter “client clientname” to generate the client files. Then I packaged the client files using pkcs12.
With these certificates, I was able to execute mosquitto without the need to enter a PEM pass phrase. Also, adding the new client certificates to the Android worked.