mosquitto

Unable to connect to mosquitto server using server CA

Asked by Tushar

Hi,

I am trying to connect to mosquitto server using server CA , the client is unable to connect .
The following error is giving to me:

root@tushar-TravelMate-4740:/home/tushar/Desktop/mosquitto--All+edited/mosquitto-0.15.90# mosquitto_sub -h 127.0.0.1 -p 8883 -t hello/world --cafile /home/tushar/new/macaservercreate.ca --cert /home/tushar/Desktop/mosquitto--All+edited/mosquitto-0.15.90/test/ssl/client.crt --key home/tushar/Desktop/mosquitto--All+edited/mosquitto-0.15.90/test/ssl/client.key
Unable to connect (8).

Thanks,
Tushar.

Question information

Language:
English Edit question
Status:
Solved
For:
mosquitto Edit question
Assignee:
No assignee Edit question
Solved by:
Roger Light
Solved:
Last query:
Last reply:
Revision history for this message
Tushar (tushar-bapte) said : 		#1

Hi ,

I am getting this error after connecting to server.

root@tushar-TravelMate-4740:/home/tushar/Desktop/mosquitto--All+edited/mosquitto-0.15.90# mosquitto -c mosquitto.conf
1343719427: mosquitto version 0.15.90 (build date 2012-07-31 12:28:12+0530) starting
1343719427: Opening ipv4 listen socket on port 8883.
Enter PEM pass phrase:
1343719453: New connection from 127.0.0.1.
1343719453: Socket error on client (null), disconnecting.

Thank,
Tushar.

Revision history for this message
Best Roger Light (roger.light) said : 		#2

It looks to me that you're using your own generated CA certificate:

--cafile /home/tushar/new/macaservercreate.ca

With the mosquitto test client certificate and private key:

--cert /home/tushar/Desktop/mosquitto--All+edited/mosquitto-0.15.90/test/ssl/client.crt
--key home/tushar/Desktop/mosquitto--All+edited/mosquitto-0.15.90/test/ssl/client.key

Which won't work because client.crt isn't signed by macaservercreate.ca.

To be clear, this is what I'd expect you to do to get things working:

1. Generate a Certificate Authority file.
2. Generate a server private key.
3. Generate a certificate signing request using the server private key.
4. Sign the CSR using the CA certificate to get a server certificate.
5. Start the broker, having created a config file that uses the CA certificate and server certificate and private keys.
6. Start your client using the CA certificate.

If you want to use client certificates for authentication then do the following as well:

7. Add "require_certificates true" to the server config file.
8. Generate a client private key.
9. Generate a certificate signing request using the client private key.
10. Sign the CSR using the CA certificate to get a client certificate.
11. Start the client using the CA certificate, client certificate and client private key.

Revision history for this message
Tushar (tushar-bapte) said : 		#3

Hi Roger,

Thanks for your response ,

I have made all the keys according to your eleven steps but i am unable to connect client to mosquitto server.

In mosquitto.conf (cafile option) what we have to pass exactly .ca file/.pem file/.cert .??

In your answer you have given that CA certificate we have to passed to server, i have tried with all the above keys but none of above keys are working in cafile option.

What is exact key for CA certificate??

If you have any link that how to create all the keys then please tell me.

Thanks,
Tushar.

Revision history for this message
Roger Light (roger.light) said : 		#4

There are examples (currently without much explanation) provided in the mosquitto-tls man page:

Generate a certificate authority certificate and key.

 · openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt

Generate a server key

 · openssl genrsa -des3 -out server.key 2048

Generate a server key without encryption.

 · openssl genrsa -out server.key 2048

Generate a certificate signing request to send to the CA.

 · openssl req -out server.csr -key server.key -new

Send the CSR to the CA, or sign it with your CA key:

 · openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <duration>

Revision history for this message
Roger Light (roger.light) said : 		#5

There are examples (currently without much explanation) provided in the mosquitto-tls man page:

Generate a certificate authority certificate and key.

 · openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt

Generate a server key

 · openssl genrsa -des3 -out server.key 2048

Generate a server key without encryption.

 · openssl genrsa -out server.key 2048

Generate a certificate signing request to send to the CA.

 · openssl req -out server.csr -key server.key -new

Send the CSR to the CA, or sign it with your CA key:

 · openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <duration>

Revision history for this message
Tushar (tushar-bapte) said : 		#6

Hi Roger,

Thanks for your response.

Now my mosquitto server and client is completely working using SSL.

Thanks,
Tushar

Revision history for this message
Tushar (tushar-bapte) said : 		#7

Thanks Roger Light, that solved my question.

Revision history for this message
Charles Wang (kitta4587) said : 		#8

I got some problem.

My config file:

bind_address 127.0.0.1
port 8883
max_connections -1

cafile /Users/wangchen/Hack/mosquitto/ca.crt
certfile /Users/wangchen/Hack/mosquitto/server.crt
keyfile /Users/wangchen/Hack/mosquitto/server.key
require_certificate true

When i want to subscribe a topic:

mosquitto_sub -p 8883 -t sample --cafile ca.crt

I got a error:

1351258881: New connection from 127.0.0.1.
1351258881: OpenSSL Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
1351258881: Socket read error on client (null), disconnecting.

Revision history for this message
Roger Light (roger.light) said : 		#9

Charles,

Please open a new question if you have a new problem rather than trying to reopen this already solved question.

That said, your problem is that you have configured the server to require client certificates (require_certificate true) but haven't used a certificate with your client. Either set require_certificate to false or generate client key and certificates and use them with the client.