Zigbee2MqttAssistant icon indicating copy to clipboard operation
Zigbee2MqttAssistant copied to clipboard

Published 20 hours ago verified publisher icon yllibed

Specify trusted CA for MQTT broker / Implement certificates-pinning

Open koenvervloesem opened this issue 4 years ago • 6 comments

Is your feature request related to a problem? Please describe. I have an MQTT broker with a TLS certificate signed by my own trusted CA. I can't connect to this MQTT broker with Zigbee2MqttAssistant because it doesn't trust the certificate:

Starting Zigbee2MqttAssistant v0.3.133+Branch.master.Sha.f490bd70a0401bc6d96a4d02d5f9022a43bb5e9e...
warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
      Storing keys in a directory '/root/.aspnet/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.                         
Hosting environment: Production
Content root path: /app
Now listening on: http://[::]:80
Application started. Press Ctrl+C to shut down.
warn: Zigbee2MqttAssistant.Services.MqttConnectionService[0]
      Unable to connect to MQTT server pi-red.home.
MQTTnet.Exceptions.MqttCommunicationException: The remote certificate is invalid according to the validation procedure.

Describe the solution you'd like I'd like to have an environment variable to set the CA certificate, so it will trust the certificate of my MQTT broker.

koenvervloesem avatar Apr 11 '20 20:04 koenvervloesem

Are you using the HASS.IO version or just in Docker?

You can customize the image using a Dockerfile in the following way: https://stackoverflow.com/a/42292623/1176099

carldebilly avatar Apr 12 '20 23:04 carldebilly

I'm using the Docker image carldebilly/zigbee2mqttassistant.

Thanks for the pointer about customizing Docker images to do this. For maintainability reasons I prefer to do this without having to customize your official Docker image, but it's an acceptable temporary workaround.

koenvervloesem avatar Apr 13 '20 06:04 koenvervloesem

You can also deactivate the TLS certificate check to put in insecure mode.

carldebilly avatar Apr 13 '20 20:04 carldebilly

I know, but I want to check it, that's one of my reasons to use TLS :-) I'll use your image customization workaround for now.

koenvervloesem avatar Apr 14 '20 06:04 koenvervloesem

Maybe a kind of certificate pinning feature could be great for you. Let's say you put the TLS mode in insecure mode, but pin the CA certificate hash somewhere in the configuration...

How did you solve the problem with Z2M itself? ...and other dependencies (HA...)?

carldebilly avatar Apr 14 '20 15:04 carldebilly

For now I have decided to run mosquitto on the same machine as Zigbee2mqtt and Zigbee2MqttAssistant so they can communicate unencrypted using the local Docker network. The plan is to bridge this MQTT broker to my main MQTT broker over TLS. That would solve the problem for me.

koenvervloesem avatar Apr 14 '20 16:04 koenvervloesem