vernemq icon indicating copy to clipboard operation
vernemq copied to clipboard

Published 20 hours ago verified publisher icon vernemq

An option to dynamically upload CA certificates

Open harsharshetty opened this issue 4 years ago • 6 comments

Overview - I have to support multiple tenants (each tenant with its own CA certificate) using a single deployment of vernemq (containerized using docker and deployed in a kubernetes cluster).

My challenge is that the tenants can be created at any time (long after the MQTT broker is installed) and the certificate has to be added to the trusted ssl keystore without restarting the broker. The new keys so generated should be honoured by the broker for client authentication subsequently.

Description

Step 1 - Install the broker on the cluster. Step 2 - Add a new CA certificate which should be used for client authentication over TLS without restarting the broker. Step 3 - When trying to connect using an MQTT client with the certificate added in step 2 - the broker should be able to authenticate the client.

Currently - I don't see an option to upload the certificates dynamically to the keystore while the broker is still running.

Could you please help me with the same?

harsharshetty avatar Jul 23 '20 11:07 harsharshetty

For a single listener you can't currently update the CAs dynamically.

I see an way to maybe achieve what you want in starting a new listener dynamically (see sudo vmq-admin listener start --help). You could dynamically start a new listener with new TLS configs. Then, as a second step, you go ahead and add the same TLS configs and listener to the vernemq.conf file, so that the configuration is persisted after any broker reboot. `

ioolkos avatar Jul 23 '20 13:07 ioolkos

@ioolkos Thanks for the quick response.

  1. When you say - "we can start a new listener dynamically" - is there a way we can do this without getting into the CLI and executing a "vmq-admin" command. I am currently running the containerized vernemq in a k8s cluster and there is a requirement to dynamically upload the certificates without bringing the broker instance down.

  2. Once we add the TLS configs and listener to vernemq.conf, I think we would need to restart the broker instance to make sure the new updates to the conf file are honoured, right?

harsharshetty avatar Jul 24 '20 04:07 harsharshetty

@harsharshetty

  1. You can try the HTTP wraps for the CLI commands: https://docs.vernemq.com/administration/http-administration. Be aware that this will not upload the Cert files, they have to exist on the server.
  2. To start a listener that's only added to the vernemq.conf, you have to restart the broker. That's exactly why there's the dynamic CLI commands. If you start a same listener dynamically, you don't have to start the broker, but the listener will be gone after broker restart. So you can just pro-actively add it to the conf file too.

ioolkos avatar Jul 24 '20 05:07 ioolkos

@ioolkos is it possible to statically add multiple CA certificates for a single listener? We are providing SSL support on port 8883. We have a requirement for 2-way SSL where the devices present their client certificates.

My use case is to support multiple CAs as the devices trying to connect to our Vernemq broker come with certificates provided by different CAs(RappidSSL, Commodo, etc). In order for the Vernemq server to trust these CAs, I think some configuration is required although I am not able to find the exact way in the documentation how to do it.

arjun289 avatar Mar 10 '22 08:03 arjun289

@arjun289 concatenate the PEM encoded CA certs into the configured CA file.

:point_right: Thank you for supporting VerneMQ: https://github.com/sponsors/vernemq :point_right: Using the binary VerneMQ packages commercially (.deb/.rpm/Docker) requires a paid subscription.

ioolkos avatar Mar 10 '22 08:03 ioolkos

@ioolkos thanks for the help, appreciate :+1: Is there any example you can point me to?

arjun289 avatar Mar 10 '22 09:03 arjun289