Openhab 3 and MQTT Client Certificate (ActiveMQ)

  • Platform information:
    • Hardware: Raspberry Pi Model 4b
    • OS: openHABian v1.6.2
    • Java Runtime Environment: Java v11 (Zulu?)
    • openHAB version: openHAB 3.0.0
  • Issue of the topic:

I’m following the tutorial for Openhab 3 setting up a MQTT client which publishes and subscribes to channels from a central MQTT broker. See the following page for the tutorial

I’m using ActiveMQ / RedHat AMQ with client certificates to secure the client connections. That means each clients needs to use a valid client certificate to authenticate at the MQTT broker. This is working with for example the “MQTT Explorer” and scripts written in Go and Nodejs.

In Openhab 3 I’ve imported the client certificate in the local Java Key- and Truststore and setting the env parameters to load the key- and trustore. The startup script to set the env paramerts and the snippet is as follows:


The configuration for the MQTT client in Openhab is as follows:

UID: mqtt:broker:a19f77a886
label: MQTT Broker
thingTypeUID: mqtt:broker
  publickeypin: false
  lwtQos: 1
  keepAlive: 60
  clientid: 9aaf9634-ff15-448b-a72f-3bbacb7c25ae
  retain: true
  secure: true
  certificatepin: false
  version: 3.1
  async: true
  qos: 1
  reconnectTime: 10000
  port: 443
  lwtRetain: true
  enableDiscovery: true

Now, I’m getting the following error message:

Exception while decoding PUBACK: fixed header flags must be 0 but were 8

A connection to the public HiveMQ instance is working succesfully. However the connection to my secured MQTT broker doesn’t work.

From the error message I would say that the problem is because of a different MQTT version. But my understanding is that Openhab 3 MQTT Binding and ActiveMQ / RedHat AMQ are both using MQTT v3.1.1 and not MQTT v5.

Does anyone have a clue where to look at or what to configure on Openhab / MQTT Binding?

Thank you very much, happy new year and best regards.

** Update: Using an URL syntax with “ssl://” as suggestered here https**:// results in the following error message: ssl:// Name or service not known

UnknownHostException - this means
OH want to connect to but IP not resolved

Dear Mats,

Great to see here as well!

Is there anyone else, who can verify the possible successful usage of mqtt client certificates? Otherwise it seems to be a bug and we should create an issue on Github?

Best regards,