OHAB 3.2.0 cannot get MQTT working with SSL

Setup, Configuration and Use Installation
1

Hi,

I have a new RaspPi 4 and run OHAB 3.2.0. Using openhabian-config I installed MQTT.
The unencrypted way is working without problems.
Now I wanted to get MQTT using SSL but I could not get it working.
Here is what I did (thanks to: tpyo kingg at Some Notes on setting up MQTT over TLS) :

  1. Certificate Authority:
cd /etc/mosquitto/ca_certificates/
sudo openssl req \
        -new \
        -x509 \
        -days 400 \
        -extensions v3_ca \
        -subj '/C=FI/L=Some City/CN=192.168.1.140' \
        -keyout mosquitto-certificate-authority.key \
        -out    mosquitto-certificate-authority.crt
  1. TLS with Authenticated MQTT - the broker
cd /etc/mosquitto/certs/
sudo openssl genrsa \
        -out mqtt-server.key \
        2048
  1. Make signing request:
sudo openssl req \
        -new \
        -out mqtt-server.csr \
        -key mqtt-server.key \
        -subj '/C=FI/L=Some City/CN=192.168.1.140'
  1. Sign key using the Certificate Authority:
sudo openssl x509 \
        -req \
        -days 367 \
        -CA    ../ca_certificates/mosquitto-certificate-authority.crt \
        -CAkey ../ca_certificates/mosquitto-certificate-authority.key \
        -CAcreateserial \
        -in  mqtt-server.csr \
        -out mqtt-server.crt
  1. Create new encryption file:
sudo nano /etc/mosquitto/conf.d/encryption.conf
  1. Add following lines into that file:
port 8883
cafile   /etc/mosquitto/ca_certificates/mosquitto-certificate-authority.crt
keyfile  /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
tls_version tlsv1.2

  1. Save that file using CTRL-X and then Y (for Yes)

  2. Restart mosquitto:

sudo systemctl restart mosquitto

But unfortunately it comes up with follwoing error:

Job for mosquitto.service failed because the control process exited with error code.
See β€œsystemctl status mosquitto.service” and β€œjournalctl -xe” for details.

If I run

systemctl status mosquitto.service

I get this:

 mosquitto.service - Mosquitto MQTT Broker
     Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sun 2022-02-06 18:55:14 CET; 48s ago
       Docs: man:mosquitto.conf(5)
             man:mosquitto(8)
    Process: 6509 ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto (code=exited, status=0/SUCCESS)
    Process: 6510 ExecStartPre=/bin/chown mosquitto /var/log/mosquitto (code=exited, status=0/SUCCESS)
    Process: 6511 ExecStartPre=/bin/mkdir -m 740 -p /run/mosquitto (code=exited, status=0/SUCCESS)
    Process: 6512 ExecStartPre=/bin/chown mosquitto /run/mosquitto (code=exited, status=0/SUCCESS)
    Process: 6513 ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf (code=exited, status=1/FAILURE)
   Main PID: 6513 (code=exited, status=1/FAILURE)
        CPU: 56ms

Feb 06 18:55:14 OHAB3RPI4 systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
Feb 06 18:55:14 OHAB3RPI4 systemd[1]: Stopped Mosquitto MQTT Broker.
Feb 06 18:55:14 OHAB3RPI4 systemd[1]: mosquitto.service: Start request repeated too quickly.
Feb 06 18:55:14 OHAB3RPI4 systemd[1]: mosquitto.service: Failed with result 'exit-code'.
Feb 06 18:55:14 OHAB3RPI4 systemd[1]: Failed to start Mosquitto MQTT Broker.

What I am missing please?

Thanks for any help…

2

and what is the output of

any further hint in logs located in directory /var/log/mosquitto/ ?

3

Hi Wolfgang_S,

thanks for your help!
Here is what journalctl -xe said:

openhabian@OHAB3RPI4:~ $ journalctl -xe
β–‘β–‘ An ExecStart= process belonging to unit mosquitto.service has exited.
β–‘β–‘
β–‘β–‘ The process' exit code is 'exited' and its exit status is 1.
Feb 07 18:06:56 OHAB3RPI4 systemd[1]: mosquitto.service: Failed with result 'exit-code'.
β–‘β–‘ Subject: Unit failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Feb 07 18:06:56 OHAB3RPI4 systemd[1]: Failed to start Mosquitto MQTT Broker.
β–‘β–‘ Subject: A start job for unit mosquitto.service has failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ A start job for unit mosquitto.service has finished with a failure.
β–‘β–‘
β–‘β–‘ The job identifier is 1674 and the job result is failed.
Feb 07 18:06:56 OHAB3RPI4 systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
β–‘β–‘ Subject: Automatic restarting of a unit has been scheduled
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ Automatic restarting of the unit mosquitto.service has been scheduled, as the result for
β–‘β–‘ the configured Restart= setting for the unit.
Feb 07 18:06:56 OHAB3RPI4 systemd[1]: Stopped Mosquitto MQTT Broker.
β–‘β–‘ Subject: A stop job for unit mosquitto.service has finished
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ A stop job for unit mosquitto.service has finished.
β–‘β–‘
β–‘β–‘ The job identifier is 1746 and the job result is done.
Feb 07 18:06:56 OHAB3RPI4 systemd[1]: mosquitto.service: Start request repeated too quickly.
Feb 07 18:06:56 OHAB3RPI4 systemd[1]: mosquitto.service: Failed with result 'exit-code'.
β–‘β–‘ Subject: Unit failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Feb 07 18:06:56 OHAB3RPI4 systemd[1]: Failed to start Mosquitto MQTT Broker.
β–‘β–‘ Subject: A start job for unit mosquitto.service has failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: https://www.debian.org/support
β–‘β–‘
β–‘β–‘ A start job for unit mosquitto.service has finished with a failure.
β–‘β–‘
β–‘β–‘ The job identifier is 1746 and the job result is failed.

And here what /var/log/mosquitto.log says:

1644253616: mosquitto version 2.0.11 starting
1644253616: Config loaded from /etc/mosquitto/mosquitto.conf.
1644253616: Opening ipv4 listen socket on port 1883.
1644253616: Opening ipv6 listen socket on port 1883.
1644253616: Opening ipv4 listen socket on port 8883.
1644253616: Opening ipv6 listen socket on port 8883.
1644253616: Error: Unable to load server key file "/etc/mosquitto/certs/mqtt-server.key". Check keyfile.
1644253616: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
1644253616: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib
1644253616: OpenSSL Error[2]: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
4

I think this is the problem:

most probably the user mosquitto does not have read permissions to the file.

5

Hi Wolfgang_S,

thanks - yes you are right, the problem was the permission of /etc/mosquitto/certs/mqtt-server.key.
I use chmod 644 on that file and now mosquitto starts as expected.

Now I will test if mosquitto works with TLS

1 Like