OK, so I just did a test here to try to prove out if you can connect to an MQTT broker with only username/passwd credentials.
So, first I changed my mosquitto config to remove the
require_certificate true
and add a pointer to the password file
password_file /etc/mosquitto/passwd
so my conf now looks like this:
per_listener_settings true
listener 1883
allow_anonymous false
password_file /etc/mosquitto/passwd
log_type error
log_type notice
log_type information
log_type debug
listener 8883
#ssl settings
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
#client certifcate settings
#require_certificate true
password_file /etc/mosquitto/passwd
use_identity_as_username true
So, I attempted to connect with a uname/passwd but to port 8883 and saw the following:
mosquitto_pub -h 192.168.1.200 -p 8883 -i "test" -u uname -P "passwd'" -d -t "test/testing" -m 'foobar'
I got the following in my mosquitto log:
1609639233: Client connection from 192.168.1.50 failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.
Googling for this error, I found this:
To get mosquitto_pub to attempt to start a SSL connection you need to provide either --cafile or --capath that points to the location of the CA certificates to verify the broker.
Without these options neither mosquitto_pub or mosquitto_sub will not attempt to start a SSL session and instead try and connect with a normal unencrypted MQTT connection
From here: openssl - mosquitto_pub gives the following error: 1408F10B: SSL routines: ssl3_get_record: wrong version number - Stack Overflow
So, since there is no global repo for self signed certs, the only way to communicate with the broker is to have a CA cert that was sued to sign the server’s cert. Makes sense.
OK, so then I tried only supplying the CA cert but still using name/passwd for authentication:
mosquitto_pub -h 192.168.1.200 -p 8883 -i "test" --cafile /home/tom/ssl/ca.crt -u uname -P "passwd'" -d -t "test/testing" -m 'foobar'
Now I get the same error you are seeing in openHAB in my mosquitto log:
1609639323: OpenSSL Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate.
Googling around, I don’t see much information about logging into TLS MQTT broker with a username/passwd, so I think my hypothesis was incorrect. Even if this was correct, you would still need to import at least the CA cert into the java keystore. So seems like we are back at the same step. We need to import rhe CA cert, the client cert and key into the java keystore in order to get openHAB to connect to a mosquitto broker over TLS.