unable to load server key file mosquitto

Asked by blackjackpsp

Hello , I tried to configure mosquitto to use SSL / TLS , but unfortunately when I try to connect to the broker tells me connection refused .
In the log file appears the error ' ERROR : Unable to load server key file " /home/asus/server.key " Check keyfile . "

my conf file is

listener 8883
port 8883
CAFile /home/asus/ca.crt
certfile /home/asus/server.crt
keyfile /home/asus/server.keyfile
require_certificate false
tls_version TLSv1

Question information

Language:
English Edit question
Status:
Solved
For:
mosquitto Edit question
Assignee:
No assignee Edit question
Solved by:
Roger Light
Solved:
Last query:
Last reply:
Revision history for this message
Roger Light (roger.light) said :
#1

If you are running on ubuntu, you might not have access to those files because of apparmor protection. You could try disabling apparmor for mosquitto:

apparmor_parser -R /etc/apparmor.d/usr.sbin.mosquitto

Alternatively you could add support for the paths you want to access to /etc/apparmor.d/usr.sbin.mosquitto then update apparmor:

apparmor_parser -r /etc/apparmor.d/usr.sbin.mosquitto

If you aren't on ubuntu, or have apparmor disabled, then I would suggest that you should just make another check that the mosquitto user has access to those keys.

You may also find this bug report relevant: https://bugs.eclipse.org/bugs/show_bug.cgi?id=452914

Revision history for this message
blackjackpsp (blackjackpsp) said :
#2

Hello , thanks for the reply , I tried to start mosquitto as root from terminal by typing " sudo / usr / sbin / mosquitto -c /etc/mosquitto/mosquitto.conf
"
in the next step asks me my PEM previously set when I created the CA.
But if I try to make a subscription with " mosquitto_pub -p 8883 -t hello / world --cafile /home/asus/ca.crt " me or " Unable to connect ( 8 ) " or " Protocol error" . Going to browse the log file mosquitto known that the error is
" OpenSSL Error : error : 14094418 : SSL routines : SSL3_READ_BYTES : TLSv1 alert unknown ca " and under continuing
" OpenSSL Error : error : 140940E5 : SSL routines : SSL3_READ_BYTES : ssl handshake failure" and still under
"Socket error on client (null ) , disconnecting ."
I must point out that I have slightly changed the configuration file by removing tls_version . I have also created all the files with the extension * .crt , * .key created during the creation of the CA and server.key in the / etc / mosquitto / ca_certificates / giving this folder all permissions ( chmod 0777 ) for all users . For the client , I used the file ca.crt created for the server .
What is wrong ?

Revision history for this message
Roger Light (roger.light) said :
#3

I just noticed you have

listener 8883
port 8883

Get rid of the "port 8883", you're trying to listen on the same port twice.

The error "TLSv1 alert unknown ca " suggests that your certificates are not necessarily configured correctly. When you generated the CA certificate and the server certificate did you give different parameters for commonName etc? This could be one reason for failure.

You should also try passing --insecure to mosquitto_pub if your server certificate does not have localhost as its commonName.

> giving this folder all permissions ( chmod 0777 ) for all users .

This is definitely a bad idea :) I presume once you have it working you will fix that.

Revision history for this message
blackjackpsp (blackjackpsp) said :
#4

Hello , I tried to do otherwise . I deleted all the files in the folder ca_certificates . I typed in terminal sudo su and I regenerated all certificates , indicating when asked how common name localhost . I have not changed over the file permissions , but I only did chmod mosquitto : mosquitto for all files indicating as owner and group mosquitto .
I left the file conf same as was eliminating only listener 8883. Then I copied all the files in the folder ca_certificates in / home and I called mosquitto_sub indicating the path of this . Unfortunately as yet Protocol Error and sometimes unable to connect ( 8 ) : / I just can not figure out where the problem :( Thanks for the help

Revision history for this message
Roger Light (roger.light) said :
#5

Protocol error or unable to connect sounds to me like you're trying to connect a TLS client to a non-TLS broker port, or vice versa. Could you paste in your exact config and the command you run the client with please?

Revision history for this message
blackjackpsp (blackjackpsp) said :
#6

config:

pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d

conf.d folder there are two files:
init.conf and certificates.conf

(init.conf content)
allow_anonymous false
password_file /home/asus/file2

(certificates.conf content)
port 8883
CAFile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/ca_certificates/server.crt
keyfile /etc/mosquitto/ca_certificates/server.key
user mosquitto

I copied the file ca.crt in / home / asus

I run the client type:
mosquitto_sub -h 127.0.0.1 -p 8883 --cafile /home/asus/ca.crt -t hello/world -u username -P password

Revision history for this message
blackjackpsp (blackjackpsp) said :
#7

I also tried to verify the certificate by typing:
openssl verify /etc/mosquitto/ca_certificates/ca.crt

and the results:

error 18 at 0 depth lookup: self signed certificate

Revision history for this message
Roger Light (roger.light) said :
#8

"CAFile"

This won't work, it should be "cafile". I'm surprised the broker starts!

On Wed, Jan 21, 2015 at 10:16 AM, blackjackpsp
<email address hidden> wrote:
> Question #260828 on mosquitto changed:
> https://answers.launchpad.net/mosquitto/+question/260828
>
> blackjackpsp gave more information on the question:
> I also tried to verify the certificate by typing:
> openssl verify /etc/mosquitto/ca_certificates/ca.crt
>
> and the results:
>
> error 18 at 0 depth lookup: self signed certificate
>
> --
> You received this question notification because you are a member of
> Mosquitto PPA, which is an answer contact for mosquitto.

Revision history for this message
blackjackpsp (blackjackpsp) said :
#9

hello , anyway I created again all certificates and all the keys in a different way and the correct field CAFile conf file as follows :

pid_file /var/run/mosquitto.pid
persistence true
persistence_location / var / lib / mosquitto /
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d

conf.d folder there are two files:
init.conf and certificates.conf

( init.conf content )
allow_anonymous false
password_file / home / asus / file2

( certificates.conf content )
Ports 8883
CAFile /etc/mosquitto/ca_certificates/rootcert.pem
certfile /etc/mosquitto/ca_certificates/server.crt
keyfile /etc/mosquitto/ca_certificates/server.key
user mosquitto

Now the broker part correctly and if I try to run the client in localhost " mosquitto_sub -h 127.0.0.1 -p 8883 --cafile /etc/mosquitto/ca_certificates/rootcert.pem -u user -p password -t hello / world " everything works perfectly , and is collected publish all the facts that are always local to the server that runs the broker .
Now I want to make sure that the other computers on the network can communicate with each other using this broker, who is on a computer with ubuntu 14:04 ip 192.168.1.106
What are the certificate file that I need to import machines " client " to be able to communicate encrypted with this broker ?

Revision history for this message
blackjackpsp (blackjackpsp) said :
#10

sorry , I misspelled cafile and instead of ports is port in the previous message :(

Revision history for this message
blackjackpsp (blackjackpsp) said :
#11

client side error:
 mosquitto_pub -h 192.168.1.106 -p 8883 -t --cafile ca_pub.crt hello / world -m " hello " -d
Client mosqpub / 2968 - raspberryp sending CONNECT
OpenSSL Error : error : 14090086 : SSL routines : SSL3_GET_SERVER_CERTIFICATE : certificate verify failed
Error : Protocol error

server-side error :

1421943071 : OpenSSL Error : error : 14094416 : SSL routines : SSL3_READ_BYTES : SSLv3 alert certified unknown
1421943071 : OpenSSL Error : error : 140940E5 : SSL routines : SSL3_READ_BYTES : ssl handshake failure
1421943071 : Socket read error on client (null ) , disconnecting

Revision history for this message
Best Roger Light (roger.light) said :
#12

> mosquitto_pub -h 192.168.1.106 -p 8883 -t --cafile ca_pub.crt hello / world -m " hello " -d
> Client mosqpub / 2968 - raspberryp sending CONNECT
> OpenSSL Error : error : 14090086 : SSL routines : SSL3_GET_SERVER_CERTIFICATE : certificate verify failed

certificate verify failed - did you use "192.168.1.106" as the common
name in your server certificate? If not, the hostname doesn't match
the certificate and you would expect it to fail. Try using the
hostname of your server in the commonName and then passing the same
hostname as the -h argument to mosquitto_pub/sub.

Or you could try passing --insecure to mosquitto_pub/sub, but that is
insecure because it doesn't verify the hostname matches the
certificate.

Revision history for this message
blackjackpsp (blackjackpsp) said :
#13

Thanks Roger Light, that solved my question.