mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard
verified publisher icon eclipse

OpenSSL Error when Creating Bridge Connection between Mosquitto brokers

Open sirockin opened this issue 7 years ago • 4 comments

I have deployed a Mosquitto broker with SSL enabled on 8883 using using certificates generated by sslforfree, referred to in the following config:

...

password_file /mosquitto/config/passwordfile
persistence false

# mqtt encrypted
listener 8883
cafile /certificate/ca_bundle.crt
certfile /certificate/certificate.crt
keyfile /certificate/private.key

# mqtt unencrypted
listener 1883

I'm able to connect over both the encrypted (8883) and unencrypted connections via external clients.

I now want to set up a bridge from an external broker. So I have added the following lines to the external broker's config:

connection cloud-bridge
remote_clientid myclient
# Removed topic specs for readability
remote_username myclient
remote_password mypassword
address myurl.com:8883
# Following line points to the same ca_bundle.crt file as specified on first broker
bridge_cafile /mosquitto/config/ca_bundle.crt
bridge_insecure false

This results in the following log errors from the external broker:

1544635256: OpenSSL Error: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed
1544635256: Socket error on client local.myclient, disconnecting.

When I change the port from 8883 to 1883 in the address section of the external broker and comment out the bridge_cafile and bridge_insecure lines (to use the unencrypted port) the bridge works fine.

Any advice would be greatly appreciated!

sirockin avatar Dec 12 '18 17:12 sirockin

(I'm travelling so please forgive the brevity)

Does the hostname in your certificate match the one you are using to connect? If not, it will fail.

Could you try mosquitto_sub -h host --cafile ca_bundle.crt -t topic -v -d ?

Or maybe openssl s_client -connect host:port -CAfile ca_bundle.crt -verify would tell you something useful.

ralight avatar Dec 12 '18 18:12 ralight

Hi Roger

Thanks for the quick and helpful response, especially since you're travelling.

The hostname for the certificate is *.{mydomain}.com whereas the PTR record on the server is app.{mydomain}.com. Could that be a problem?

Using mosquitto_sub as you suggested produces:

Client mosqsub/5060-NUC2-UBUNT sending CONNECT
Error: A TLS error occurred.

Using openssl s_client ... -verify_hostname app.{mydomain}.com gives me Verify return code: 0 (ok)

sirockin avatar Dec 12 '18 20:12 sirockin

I'm struggling to reproduce this... what version of mosquitto are you using?

ralight avatar Dec 20 '18 11:12 ralight

@sirockin is the issue still a problem? Can we close the issue or could you retry with a current mosquitto version?

ckrey avatar Oct 14 '24 14:10 ckrey