MQTTX icon indicating copy to clipboard operation
MQTTX copied to clipboard

Published 20 hours ago verified publisher icon emqx

[Bug] CA-signed server with self-signed client certs requires workaround

Open AsumFace opened this issue 2 years ago • 4 comments

I have a setup where my server is authenticated by certificates issued by Let's Encrypt, but clients are authenticated using self-signed certificates. This means that in order for clients to connect to the server, they need to be provided with their private key and the corresponding self-signed certificate. They do not need to know any custom CA-certificates and can authenticate the server through ordinary means. MQTTX does however not provide a way to connect with only the client certificate and key, it requires a CA-certificate too (option "Self signed"), or does not accept any files at all (option "CA signed server"). To work around this issue it is required to find the CA-certificate of Let's Encrypt and provide it for CA file. Curiously, the command line tools of Mosquitto appear to have the same limitation (although I might be doing something wrong). The MQTT plugin for OctoPrint solves this by making the CA certificate and client certificate/key pair independently optional to specify.

AsumFace avatar Jul 04 '22 00:07 AsumFace

Hi, sorry I'm late in replying, I was on vacation last week. : ) So is there really a need for an SSL connection that doesn't require a CA certificate to be uploaded?

ysfscream avatar Jul 11 '22 05:07 ysfscream

Hi, I didn't mean to imply that there's no CA certificate involved for the server - it's just already present in the system's trust store and does not need to be provided again by the user. The client certificate authentication works independently from it, and as such usage of it should not affect whether the system's trust store or a custom one is to be used to verify the server's certificate.

AsumFace avatar Jul 15 '22 02:07 AsumFace

OK, so if you choose a CA-signed server, there seems to be no way to provide a client certificate at the moment, is there?

image

ysfscream avatar Jul 15 '22 03:07 ysfscream

Yes, exactly. The "CA signed server" option makes authentication through client certificates impossible, even though there's nothing conceptually wrong with it.

AsumFace avatar Jul 15 '22 03:07 AsumFace

It's a little late for an update. In https://github.com/emqx/MQTTX/releases/tag/v1.8.3 we removed the restriction, but you need to choose at least one certificate to complete the connection, thanks for the feedback.

image

ysfscream avatar Oct 12 '22 02:10 ysfscream