Mosquitto - stuck with TLS

Dries · September 3, 2017, 10:22am

Hi,

Today I’m experimenting with OwnTracks/MQTT. I was able to install and run Mosquitto, the MQTT and Owntracks binding and depending on the GPS location I was able to flip a switch in OpenHAB. So far so good!

For now, my Mosquitto instance is only accessible via my local intranet. Obviously, I would need to set up my firewall so my GPS location would be updated from anywhere.

But every time you open another port on your firewall, you decrease the security of your network.

In the Mosquitto documentation, I’ve read something about using TLS certificates. I guess this is the recommended approach to further secure your Mosquitto setup (right?).

But at this point, I got a bit lost. I tried to read about TLS concepts etc, but still…
The documentation on Mosquitto shows 8 command-line-instructions to be executed. But I’m not sure which one to pick.

I did execute:

openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt

(where duration = 1000);

And it did generate two files: ca.key and ca.crt.

But what’s next? Are these the files I should transfer to my phone? In Owntracks I can select a “CA certificate”, is that the file called “ca.crt”? What should I do with “ca.key”?

And what about openHAB? I guess these keys need to be provided to OH as well.

I tried to find an online tutorial, but lost…

ben_jones12 · September 3, 2017, 10:29am

Try the Owntracks booklet, very good docs… http://owntracks.org/booklet/features/tls/

Dries · September 3, 2017, 11:10am

Hi Ben,

Thanks for the quick reply.
The first step in this tutorial (Configure TLS on the Mosquitto broker) refers to the page I was referring to, where I am stuck. Any way, this is what I’ve tried now:

I have generated the following commands:

openssl req -new -x509 -days 1000 -extensions v3_ca -keyout ca.key -out ca.crt
openssl genrsa -des3 -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000
openssl genrsa -des3 -out client.key 2048
openssl req -out client.csr -key client.key -new
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 1000

This has produced the following files:
ca.crt, ca.key, ca.srl, client.crt, client.csr, client.key, server.crt, server.csr, server.key.

I have changed mosquitto.conf to:

listener 1883 192.168.X.X
listener 8883 192.168.X.X

cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt

persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
allow_anonymous false
password_file /etc/mosquitto/pwfile

I stopped/started mosquitto.

In my Owntracks app, I have made the following changes:

Port: 8883;
TLS: yes;
CA certificate: ca.crt
Client certificate: client.crt
Client certificate password: the password I used when generating all these files;

When connecting, I now get “java.io.IOException: stream does not represent a PKCS12 key store” in my Owntracks app.

Anyone an idea what I did wrong or how I can troubleshoot?

[EDIT]
I think I have made some progress. Reading this page, made me do the following:

I generated a P12 file using:

openssl pkcs12 \
  -export \
  -in client.crt \
  -inkey client.key \
  -name "MQTT certificate/key" \
  -out client.p12

In the Owntracks app in the field “Client certificate” I selected the generated client.p12 file.

Now I have a different error message:
“Unable to connect to server (32103) - java.net.Connectexception: Connection refused.”

[EDIT 2]
Sorry, it seems that at a certain point I’m stuck. I update this thread with info and then I get another idea.

So the connect refused thing is because the mosquitto-instance didn’t want to start anymore using “/usr/sbin/service mosquitto start”. When I manually start it using “/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf” it work. But it asks for the PEM pass phrase.
=> How can I start mosquitto as a service now?

After entering that PEM pass phrase, I now see what is happening:

1504438810: New connection from 192.168.3.2 on port 1883.
1504438810: New client connected from 192.168.3.2 as openhab (c1, k60, u'daendekerk').
1504438836: New connection from 84.193.100.236 on port 8883.
1504438836: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
1504438836: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1504438836: Socket error on client <unknown>, disconnecting.

So openhab connects fine (not using TLS). But when I want to connect using the owntracks app on my phone I get a handshake failed.
On my phone, I see “MqttException (0) - javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found”.

[EDIT3]
I’m getting there.

So I practically started all over again. I removed all files in /certs (CA, client, server).
I ran this script to generate the CA and server files. Then I ran the same script with parameter “client clientname” to generate the client files. Then I packaged the client files using pkcs12.

With these certificates, I was able to execute mosquitto without the need to enter a PEM pass phrase. Also, adding the new client certificates to the Android worked.

Case closed!