cannot enable tls with auto-generated certificate

Asked by Danilo Tomasoni

The error is (from log):

1406209668: mosquitto version 1.2.1 (build date 2013-09-23 19:28:56+0000) starting
1406209668: Config loaded from mosquitto.conf.
1406209668: Opening ipv4 listen socket on port 8883.
1406209668: Opening ipv6 listen socket on port 8883.
1406209668: Error: Unable to load server certificate "/etc/mosquitto/certs/ciroserver-mosquitto.pem". Check certfile.

I checked that:
1. /etc/mosquitto/certs/ciroserver-mosquitto.pem exists
2. it has 600 permission from user mosquitto, group users (but also with 777 is the same)
3. it is a pem-encoded file (with ---BEGIN CERTIFICATE-- ...................... -----END CERTIFICATE--------- )

what's the issue? this is my mosquitto.conf:
# egrep -v '^(#|$)' mosquitto.conf

pid_file /var/run/mosquitto.pid
user mosquitto
port 8883
max_connections 1024
capath /etc/mosquitto/ca_certificates
certfile /etc/mosquitto/certs/ciroserver-mosquitto.pem
keyfile /etc/mosquitto/certs/ciroserver-mosquitto.key
tls_version tlsv1
require_certificate false
autosave_interval 1800
persistence true
persistence_file mosquitto.db
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
log_type all
log_timestamp true
allow_anonymous false
password_file /etc/mosquitto/passwd

my operating system is debian 7.0, and I installed mosquitto from the repositories.

Thank you for the answer!

Question information

Language:
English Edit question
Status:
Expired
For:
mosquitto Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Roger Light (roger.light) said :
#1

Do you have apparmor running? It looks like there is a mistake in the
mosquitto apparmor profile that allows access to /etc/mosquitto/cert/
rather than /etc/mosquitto/certs/

You could try moving your certs directory to cert and see if it works,
or change the appropriate line in /etc/apparmor.d/usr.sbin.mosquitto
then run "sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.mosquitto"

I will be fixing the apparmor profile to allow the path /etc/mosquitto/certs/

On Mon, Jul 28, 2014 at 1:21 AM, Danilo Tomasoni
<email address hidden> wrote:
> Question #252120 on mosquitto changed:
> https://answers.launchpad.net/mosquitto/+question/252120
>
> Description changed to:
> The error is (from log):
>
> 1406209668: mosquitto version 1.2.1 (build date 2013-09-23 19:28:56+0000) starting
> 1406209668: Config loaded from mosquitto.conf.
> 1406209668: Opening ipv4 listen socket on port 8883.
> 1406209668: Opening ipv6 listen socket on port 8883.
> 1406209668: Error: Unable to load server certificate "/etc/mosquitto/certs/ciroserver-mosquitto.pem". Check certfile.
>
> I checked that:
> 1. /etc/mosquitto/certs/ciroserver-mosquitto.pem exists
> 2. it has 600 permission from user mosquitto, group users (but also with 777 is the same)
> 3. it is a pem-encoded file (with ---BEGIN CERTIFICATE-- ...................... -----END CERTIFICATE--------- )
>
> what's the issue? this is my mosquitto.conf:
> # egrep -v '^(#|$)' mosquitto.conf
>
> pid_file /var/run/mosquitto.pid
> user mosquitto
> port 8883
> max_connections 1024
> capath /etc/mosquitto/ca_certificates
> certfile /etc/mosquitto/certs/ciroserver-mosquitto.pem
> keyfile /etc/mosquitto/certs/ciroserver-mosquitto.key
> tls_version tlsv1
> require_certificate false
> autosave_interval 1800
> persistence true
> persistence_file mosquitto.db
> persistence_location /var/lib/mosquitto/
> log_dest file /var/log/mosquitto/mosquitto.log
> log_type all
> log_timestamp true
> allow_anonymous false
> password_file /etc/mosquitto/passwd
>
> my operating system is debian 7.0, and I installed mosquitto from the
> repositories.
>
> Thank you for the answer!
>
> --
> You received this question notification because you are a member of
> Mosquitto PPA, which is an answer contact for mosquitto.

Revision history for this message
Danilo Tomasoni (danilo-tomasoni) said :
#2

I don't have apparmor installed (/etc/apparmor.d/ does not exists)
I tried to move /etc/mosquitto/certs to /etc/mosquitto/cert but it gives the same error:

1406558063: mosquitto version 1.2.1 (build date 2013-09-23 19:28:56+0000) starting
1406558063: Config loaded from mosquitto.conf.
1406558063: Opening ipv4 listen socket on port 8883.
1406558063: Opening ipv6 listen socket on port 8883.
1406558063: Error: Unable to load server certificate "/etc/mosquitto/cert/ciroserver-mosquitto.pem". Check certfile.

Revision history for this message
Petr Klus (klus-petr) said :
#3

Same problem here!

# mosquitto -c /etc/mosquitto/mosquitto.conf
1406822293: mosquitto version 1.3.2 (build date 2014-07-31 13:37:03+0000) starting
1406822293: Config loaded from /etc/mosquitto/mosquitto.conf.
1406822293: Opening ipv4 listen socket on port 8883.
1406822293: Opening ipv6 listen socket on port 8883.
1406822293: Error: Unable to load server certificate "/root/keys_second/server/server.crt". Check certfile.

Revision history for this message
Launchpad Janitor (janitor) said :
#4

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Roger Light (roger.light) said :
#5

Are the certificates definitely in PEM format?

Do they definitely relate to the CA certificates that you have already loaded?

Revision history for this message
Danilo Tomasoni (danilo-tomasoni) said :
#6

I think it is.
the ca .key file begin with -----BEGIN ENCRYPTED PRIVATE KEY-----
and ends with -----END ENCRYPTED PRIVATE KEY-----
the ciroserver-mosquitto.pem file begin with -----BEGIN CERTIFICATE-----
and ends with -----END CERTIFICATE-----
the ciroserver-mosquitto.key begin with -----BEGIN RSA PRIVATE KEY-----
and ends with -----END RSA PRIVATE KEY-----

maybe also the ca.key should start with BEGIN RSA PRIVATE KEY
instead of BEGIN ENCRYPTED PRIVATE KEY ?
but I generated the certs using your tutorial...
http://mosquitto.org/man/mosquitto-tls-7.html
# openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.crt

Revision history for this message
Danilo Tomasoni (danilo-tomasoni) said :
#7

I removed the password from the private key of the CA certificate using
openssl rsa -in server.key.secure -out server.key

but still no luck. so i tried using the cafile option instead of the capath..
now it gives me
Error: Unable to load CA certificates. Check cafile "/etc/mosquitto/ca_certificates/mosquitto-ca.crt".

the .crt files begin with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----
I also tried creating a combined file (as needed by postfix for example)
cat ca.key ca.crt > ca.pem but still
Error: Unable to load CA certificates. Check cafile "/etc/mosquitto/ca_certificates/mosquitto-ca.pem".

Revision history for this message
Launchpad Janitor (janitor) said :
#8

This question was expired because it remained in the 'Open' state without activity for the last 15 days.