search

home-assistant / addons

:heavy_plus_sign: Docker add-ons for Home Assistant
https://home-assistant.io/hassio/
Apache License 2.0
1.56k stars 1.51k forks source link

Client certificate authentication without username/password not working #2750

Closed mortencombat closed 1 year ago

mortencombat commented 1 year ago

Describe the issue you are experiencing

I'm using a client certificate to publish to Mosquitto, with use_identity_as_username true so I shouldn't need to enter a username and password (eg. can just use certificate authentication).

This works fine when I setup and test just locally. I cannot get it to work with the Mosquitto broker add-on in Home Assistant.

It works with the Mosquitto add-on, if I specify the username and password of a valid user, but this should not be necessary. When I test locally (setting up a local mosquitto broker), it works fine (eg. authenticating using just the client certificate/key, username/password is not necessary). As best as I can see, the use_identity_as_username true setting is not effectuated.

Using mosquitto_pub with -d option, I get the following output:

Client null sending CONNECT
Client null received CONNACK (5)
Connection error: Connection Refused: not authorised.
Error: The connection was refused.

On the Mosquitto add-on logs I see this (full log below):

2022-11-18 13:21:28: New connection from 10.0.20.82:50311 on port 8883.
error: received null username or password for unpwd check

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Mosquitto broker

What is the version of the add-on?

6.1.3

Steps to reproduce the issue

  1. Create a set of CA, server and client certificates/keys
  2. Configure the add-on: set require_certificate: true, customize.active: true and specify ca_file, cert_file and key_file
  3. In /share/mosquitto place a custom configuration file eg. mosquitto.conf with use_identity_as_username true
  4. Restart add-on
  5. Use mosquitto_pub --cafile ca.crt --cert client.crt --key client.key -d -h <hostname> -p 8883 -t test -m "hello there"

System Health information

System Information

version core-2022.11.3
installation_type Home Assistant OS
dev false
hassio true
docker true
user root
virtualenv false
python_version 3.10.7
os_name Linux
os_version 5.15.74
arch x86_64
timezone Europe/Copenhagen
config_dir /config
Home Assistant Community Store GitHub API | ok -- | -- GitHub Content | ok GitHub Web | ok GitHub API Calls Remaining | 4985 Installed Version | 1.28.3 Stage | running Available Repositories | 1142 Downloaded Repositories | 2
Home Assistant Cloud logged_in | false -- | -- can_reach_cert_server | ok can_reach_cloud_auth | ok can_reach_cloud | ok
Home Assistant Supervisor host_os | Home Assistant OS 9.3 -- | -- update_channel | stable supervisor_version | supervisor-2022.10.2 agent_version | 1.4.1 docker_version | 20.10.18 disk_total | 30.8 GB disk_used | 4.8 GB healthy | true supported | true board | ova supervisor_api | ok version_api | ok installed_addons | Let's Encrypt (4.12.7), Studio Code Server (5.4.1), Terminal & SSH (9.6.1), Mosquitto broker (6.1.3)
Dashboards dashboards | 1 -- | -- resources | 0 mode | auto-gen
Recorder oldest_recorder_run | November 11, 2022 at 16:31 -- | -- current_recorder_run | November 18, 2022 at 11:18 estimated_db_size | 35.93 MiB database_engine | sqlite database_version | 3.38.5

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/mosquitto.sh
[13:21:18] INFO: Setting up user ams
[13:21:18] INFO: Certificates found: SSL is available
cont-init: info: /etc/cont-init.d/mosquitto.sh exited 0
cont-init: info: running /etc/cont-init.d/nginx.sh
cont-init: info: /etc/cont-init.d/nginx.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun mosquitto (no readiness notification)
services-up: info: copying legacy longrun nginx (no readiness notification)
[13:21:18] INFO: Starting NGINX for authentication handling...
s6-rc: info: service legacy-services successfully started
[13:21:18] INFO: Starting mosquitto MQTT broker...
1668774078: Loading config file /share/mosquitto/mosquitto.conf
2022-11-18 13:21:18: Warning: Mosquitto should not be run as root/administrator.
time="2022-11-18T13:21:18+01:00" level=debug msg="got 3 users from passwords file"
time="2022-11-18T13:21:18+01:00" level=debug msg="got 0 lines from acl file"
time="2022-11-18T13:21:18+01:00" level=info msg="Backend registered: Files"
time="2022-11-18T13:21:18+01:00" level=debug msg="new hasher: pbkdf2"
time="2022-11-18T13:21:18+01:00" level=info msg="Backend registered: HTTP"
time="2022-11-18T13:21:18+01:00" level=info msg="registered acl checker: files"
time="2022-11-18T13:21:18+01:00" level=info msg="registered user checker: files"
time="2022-11-18T13:21:18+01:00" level=info msg="registered superuser checker: files"
time="2022-11-18T13:21:18+01:00" level=info msg="registered acl checker: http"
time="2022-11-18T13:21:18+01:00" level=info msg="registered user checker: http"
time="2022-11-18T13:21:18+01:00" level=info msg="registered superuser checker: http"
time="2022-11-18T13:21:18+01:00" level=info msg="redisCache activated"
time="2022-11-18T13:21:18+01:00" level=info msg="started go-cache"
[13:21:19] INFO: Successfully send discovery information to Home Assistant.
[13:21:19] INFO: Successfully send service information to the Supervisor.
2022-11-18 13:21:18: mosquitto version 2.0.11 starting
2022-11-18 13:21:18: Config loaded from /etc/mosquitto/mosquitto.conf.
2022-11-18 13:21:18: Loading plugin: /usr/share/mosquitto/go-auth.so
2022-11-18 13:21:18:  ├── Username/password checking enabled.
2022-11-18 13:21:18:  ├── TLS-PSK checking enabled.
2022-11-18 13:21:18:  └── Extended authentication not enabled.
2022-11-18 13:21:18: Opening ipv4 listen socket on port 8885.
2022-11-18 13:21:18: Opening ipv4 listen socket on port 1883.
2022-11-18 13:21:18: Opening ipv6 listen socket on port 1883.
2022-11-18 13:21:18: Opening websockets listen socket on port 1884.
2022-11-18 13:21:18: Opening ipv4 listen socket on port 8883.
2022-11-18 13:21:18: Opening ipv6 listen socket on port 8883.
2022-11-18 13:21:18: Opening websockets listen socket on port 8884.
2022-11-18 13:21:18: mosquitto version 2.0.11 running
2022-11-18 13:21:18: New connection from 127.0.0.1:39048 on port 1883.
2022-11-18 13:21:18: Client <unknown> closed its connection.
2022-11-18 13:21:28: New connection from 10.0.20.82:50311 on port 8883.
error: received null username or password for unpwd check

Additional information

No response

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

pruwait commented 4 months ago

Is there any solution? I need use_identity_as_username true