Enable SSL with MQTT integration

[cjbaar]

The problem

I am attempting to use the MQTT integration with TLS/SSL. I have a mosquitto broker configured with a certificate from LetsEncrypt, and I have successfully tested connecting over the secure connection with the local mosquitto_sub command. However, attempting to connect to the same host and port within the HA GUI fails without explanation. The mosquitto logs show "error:0A00010B:SSL routines::wrong version number."

When I search this issue, the related content seems to indicate that home assistant needs to be configured with a CA cert. When I do this through configuration.yaml, as shown on multiple posts, I get similar errors in the HA logs: The 'broker' option near /config/configuration.yaml:38 has been removed, please remove it from your configuration 'mqtt->0'

But there is not GUI options for providing certs or enabling SSL. What is the proper way to configure these settings for secure communication with the MQTT broker?

What version of Home Assistant Core has the issue?

core-2024.11.1

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Container

Integration causing the issue

mqtt

Link to integration documentation on our website

https://www.home-assistant.io/integrations/mqtt/

Diagnostics information

No response

Example YAML snippet

mqtt:
  broker: xxx
  port: 8883
  username: xxx
  password: xxx
  tls_insecure: true

Anything in the logs that might be useful for us?

2024-11-14 10:27:41.697 ERROR (MainThread) [homeassistant.config] Invalid config for 'mqtt' at configuration.yaml, line 37: The 'broker' option near /config/configuration.yaml:38 has been removed, please remove it from your configuration 'mqtt->0', got None, please check the docs at https://www.home-assistant.io/integrations/mqtt

Additional information

No response

[home-assistant[bot]]

Hey there @emontnemery, @jbouwh, @bdraco, mind taking a look at this issue as it has been labeled with an integration (mqtt) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of `mqtt` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign mqtt` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

mqtt documentation mqtt source _{^{(message by IssueLinks)}}

[jbouwh]

You need to enable advanced options. https://www.home-assistant.io/integrations/mqtt/#advanced-broker-configuration This will allow you to set a TLS and certificate options through the UI.

[cjbaar]

Thanks. So, I figured out I have to enable "advanced" features for my user profile before those show up. Not super-intuitive, but I see the advanced MQTT options now. I have tried certificate validation set to Off, Auto, and Custom, but none connect. When using Custom, I am uploading the CA for my letsencrypt cert. Is this what it needs? I am not trying to use client cert-based authentication.

[cjbaar]

OK, well I tried going back to "Auto" after uploading the custom cert, and now it seems to connect. Not sure if that is the intended setup. Thanks for the quick assistance.

[jbouwh]

If you run a broker for own use, it might consider to install a self signed certificate, but Let's Encrypt should work as well. For Lets Encrypt Auto is the way to go, as it will use the trusted public certs as a base to validate. To use client based authentication you probably end up signing those against a self signed root,