The exercise is a step-by-step procedure to generate client certificates for use with MQTT. The mosquitto broker and command line clients are used to demonstrate certificate use.
2 plus ones
Shared publicly•View activity
View 19 previous comments
- Got this working finally, a combination of things so I am not sure which specific commands and reconfig played a role, but most notably I did register the client2 certs by putting them in /usr/share/org_dir/ and using
and specifying the DHCP assigned IP of the server in the moqsuitto.conf in listener as opposed to 127.0.0.1, because I read somewhere the host that you specify in the client command has to match against whats configured in the server, not just localhost or 127.0.0.1 (probably thats why it was working locally, but not from the client machine). Thanks a lot again for your client cert generation script, without that it wouldve been impossible to figure out.Jun 15, 2016
- You're welcome.Jun 15, 2016
- I have tried about everything I can think of and I get and Error: Problem setting TLS options in Step 3. I am not sure what I am doing wrong. I have changed all the file locations in the config file but can't seem to figure out why I am getting this error. Any help would be appreciated.Jul 20, 2016
- Mark Cowen had a similar problem. Look through the comments. My response was:
"I get the "TLS error" when the "require_certificate true" line is present in the configuration file. Once you have added the "require_certificate true" line to the configuration, the "--cafile"" is not enough, you also need the "--cert" and "--key" arguments"Aug 10, 2016
- Post here if that does not work for you.Aug 10, 2016
- Thanks so much for your article. It helped me get mosquitto server running under ssl on a raspberry pi 3 and a client on another pi. 😊
One remaining issue: I can't seem to connect to the mosquitto server from a terminal session on the same server. I get "Error: Problem setting TLS options". (As you've said, a very unhelpful error message.) I can connect from a remote machine and everything works as expected, but cannot from a terminal session on the server machine itself. I was hoping to write a consumer of the data the mosquitto server is receiving, and have this consumer running on the mosquitto server, instead of needing a second server.
What I've tried so far:
I've tried generating separate client certificate and key for the server machine and using those to pub or sub, which still gives me the error.
I've tried using the server cert and key which, not unexpectedly, also didn't work.
Do you have any suggestions on where to look next?
-- UPDATE -- FIXED --
First of all, I'm a noob at Linux, and especially Linux security features.
It turned out that, in using sudo to create the client certificates in the working directory that I'd created, all of my certs had root as the owner. And from one of the comments above, I realized that could be a problem preventing the use of the file by another user. So, as an experiment I used sudo to run mosquitto_pub as the same owner as the certificate. And everything worked perfectly! So now I know I have to fix file permissions of the client certificate. Watch for file permission conflicts. The error messages and debug were next to useless for diagnosis.
So, to anyone who reads this far in these comments, make sure that the user running your program has permission to open the SSL certificates before exploring more more speculative potential solutions.
So for this version of mosquitto (as of 4/14/2017) some clues,
"ERROR: Problem setting TLS options" may be signaling a file permissions issue. Using the -d switch showed no debug information in this case.
"ERROR: A TLS error occurred" might be signaling a problem with the certificate itself, such as using a server certificate to try and connect as a client. In this case, the debug option showed an attempt to connect, followed by the error message.
So, thanks Jerry! And thanks to everyone who was willing to share what they learned.
Good luck!Apr 15, 2017
Add a comment...