Hello,
very interesting thread that I am trying to use to get my openhab 3.4.0 (running on an odroid C4, a Raspberry Pi alternative I was able to buy) talking to an mqtt-server running somewhere else (a server outside my home running many things, including a mosquitto and owntracks).
I configured this external mqtt server to require TLS and use certificates (see below for the configs). From my odroid machine, where OH runs, I can connect to this mosquitto:
mosquitto_sub -h server.X.Y -t \# -d -p 8883 --cafile mosquitto_ca.crt --cert openhab.crt --key openhab.key
I then followed the steps outlined in the walkthrough and seem to get very far, but in the end, when in the website UI I enter the information for connecting (again, see below) I get a Java unhandled exception:
“javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure”
I am pretty sure the reason is that only the ca is passed, and not the client key and certificate that I use to authenticate clients (since I added only the ca certificate to the truststore).
In 2018 in the thread it mentions:
However, like I said before, I don’t think openHAB supports client certificates so I’m pretty sure that openHAB can’t connect to a listener that has require_certificate true
. It can only check whether the server’s cert is trusted based on the CA being in the trust store.
So: is this still the case ? Is there no way to pass my client key/certificate ?
Does this mean only user/password is supported for security ?
My configs:
Mosquitto server:
conf.d/owntracks.conf
per_listener_settings true
listener 1883 localhost
allow_anonymous false
password_file /etc/mosquitto/passwordfile
listener 8883
tls_version tlsv1.2
require_certificate true
use_identity_as_username true
cafile /etc/mosquitto/certs/mosquitto_ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
OH server:
Generated the stores as follows, importing the ca file from my mosquitto server:
# keystore:
sudo keytool -genkeypair -alias odroid -keyalg RSA -keystore /etc/ohkeystore.jks -storetype PKCS12
# truststore:
sudo keytool -import -alias owntracksca -file /etc/mosquitto_ca.crt -storetype PKCS12 -keystore /etc/ohtruststore.jks
/usr/share/openhab/runtime/bin/setenv
export JAVA_OPTS="${JAVA_OPTS}
-Dopenhab.home=${OPENHAB_HOME}
-Dopenhab.conf=${OPENHAB_CONF}
-Dopenhab.runtime=${OPENHAB_RUNTIME}
-Dopenhab.userdata=${OPENHAB_USERDATA}
-Dopenhab.logdir=${OPENHAB_LOGDIR}
-Dfelix.cm.dir=${OPENHAB_USERDATA}/config
-Djava.library.path=${OPENHAB_USERDATA}/tmp/lib
-Djetty.host=${HTTP_ADDRESS}
-Djetty.http.compliance=RFC2616
-Dnashorn.args=--no-deprecation-warning
-Dorg.apache.cxf.osgi.http.transport.disable=true
-Dorg.ops4j.pax.web.listening.addresses=${HTTP_ADDRESS}
-Dorg.osgi.service.http.port=${HTTP_PORT}
-Dorg.osgi.service.http.port.secure=${HTTPS_PORT}
-Dcom.ibm.ssl.trustManager=SunX509
-Dcom.ibm.ssl.keyManager=SunX509
-Dcom.ibm.ssl.contextProvider=SunJSSE
-Dcom.ibm.ssl.keyStore=/etc/ohkeystore.jks
-Dcom.ibm.ssl.keyStorePassword=ReplaceWithYourOwnPassword
-Dcom.ibm.ssl.keyStoreType=PKCS12
-Dcom.ibm.ssl.keyStoreProvider=SUN
-Dcom.ibm.ssl.trustStore=/etc/ohtruststore.jks
-Dcom.ibm.ssl.trustStorePassword=ReplaceWithYourOwnPassword
-Dcom.ibm.ssl.trustStoreType=PKCS12
-Dcom.ibm.ssl.trustStoreProvider=SUN"