search

ioBroker / ioBroker.mqtt

Mqtt server and client for ioBroker.
MIT License
54 stars 29 forks source link

mosquitto can't connect when TLS is enabled #341

Open tehXor opened 1 year ago

tehXor commented 1 year ago

Describe the bug
When enabling TLS (with the use of Let's Encrypt certificates) mosquitto is unable to connect. After Client (null) sending CONNECT it just throws an Error: Unknown error. without further output, although the -d flag for debug output is set. Connecting with TLS disabled on the MQTT adapter works. Connecting with openssl s_client -connect and TLS enabled on the MQTT adapter also looks good and every certificate in the chain could be verified. Even with the debug flag the MQTT adapter log shows no entries of these failed connections.

To Reproduce
Steps to reproduce the behavior:

  1. In the adapter settings tick the SSL checkbox and use public, private and chain certificate files from Let's Encrypt for your domain under which ioBroker is reachable (and optionally set the port to 8883 to ensure clients will pick up that they should use TLS).
  2. On another machine install all mosquitto packages: apt install mosquitto*
  3. Try to connect with a test message (and optionally TLS flags to ensure mosquitto tries to use TLS): mosquitto_pub -h my.iobroker.domain -t test -m "hello" -p 8883 -u "test" -P "t35t" --tls-use-os-certs -d (you can also try all other TLS related flags)
  4. This always results in an Error: Unknown error. no matter which mosquitto flags you try.

Expected behavior
It should publish the test message just like it does when TLS (the SSL flag in the MQTT adapter options) is disabled.

Screenshots & Logfiles
mosquitto_pub -h my.iobroker.domain -t test -m "hello" -p 8883 -u "test" -P "t35t" --tls-use-os-certs -d:

Client (null) sending CONNECT
Error: Unknown error.

openssl s_client -connect my.iobroker.domain:8883:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.iobroker.domain
verify return:1
---
Certificate chain
 0 s:CN = *.iobroker.domain
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=CN = *.iobroker.domain

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5088 bytes and written 385 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: XXXXXXXXXXXXXXX
    Session-ID-ctx:
    Resumption PSK: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX   XXXXXXXXXXXXXXXX

    Start Time: 1670990241
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: XXXXXXXXXXXXXXX
    Session-ID-ctx:
    Resumption PSK: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX   XXXXXXXXXXXXXXXX

    Start Time: 1670990241
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Adapter log:

mqtt.0 | 2022-12-14 05:27:16.479 | info | Starting MQTT (Secure) authenticated server on 0.0.0.0:8883
-- | -- | -- | --
mqtt.0 | 2022-12-14 05:27:16.297 | info | starting. Version 4.0.7 in /opt/iobroker/node_modules/iobroker.mqtt, node: v16.18.1, js-controller: 4.0.23
mqtt.0 | 2022-12-14 05:27:16.236 | info | Plugin sentry Sentry Plugin disabled for this process because sending of statistic data is disabled for the system

Versions:

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within the next 7 days. Please check if the issue is still relevant in the most current version of the adapter and tell us. Also check that all relevant details, logs and reproduction steps are included and update them if needed. Thank you for your contributions. Dieses Problem wurde automatisch als veraltet markiert, da es in letzter Zeit keine Aktivitäten gab. Es wird geschlossen, wenn nicht innerhalb der nächsten 7 Tage weitere Aktivitäten stattfinden. Bitte überprüft, ob das Problem auch in der aktuellsten Version des Adapters noch relevant ist, und teilt uns dies mit. Überprüft auch, ob alle relevanten Details, Logs und Reproduktionsschritte enthalten sind bzw. aktualisiert diese. Vielen Dank für Eure Unterstützung.