Setting up MQTT with TLS Help needed

macchina-io / macchina.io

macchina.io EDGE is a powerful C++ and JavaScript SDK for edge devices, multi-service IoT gateways and connected embedded systems.

https://macchina.io

GNU General Public License v3.0

512 stars 152 forks source link

Setting up MQTT with TLS Help needed #80

Closed FatKoala closed 6 years ago

FatKoala commented 6 years ago

Hello,

I have problem with setting up mqtt communication with TLS. I tested communication with mosquitto broker and clients and it works with certificates. However, I can't establish communication from macchina.io. Macchina is running on raspberry pi 3 and my broker is on windows 10 pc. I edited file macchina.propperties file in server directory, and I added new client with correct serverURI and ssl.trustStore certificate path. On server I get handshake failure. PS. I am able to establish communication without SSL. Am I missing some settings before using SSL/TLS?

obiltschnig commented 6 years ago

You are probably missing some settings. Could you share the mosquitto server configuration?

FatKoala commented 6 years ago

port 8883 cafile C:\Program Files (x86)\mosquitto\certs\m2mqtt_ca.crt certfile C:\Program Files (x86)\mosquitto\certs\m2mqtt_srv.crt keyfile C:\Program Files (x86)\mosquitto\certs\m2mqtt_srv.key tls_version tlsv1.2

This is my server config file. I transferred m2mqtt_ca.crt to macchina.io and added path to ssl.trustStore in macchina.properties. Note: communication with certificates and same setup works fine when I am using mosquittto_client on rpi3 instead of macchina.

obiltschnig commented 6 years ago

How does your macchina.properties file look regarding the MQTT configuration?

Should be something like:

mqtt.clients.m2mqtt.serverURI = ssl://192.168.2.34
mqtt.clients.m2mqtt.clientId = macchina
mqtt.clients.m2mqtt.ssl.trustStore = m2mqtt_ca.crt
mqtt.clients.m2mqtt.ssl.enabledCipherSuites = TLSv1
mqtt.clients.m2mqtt.ssl.version = tls1.2

Note the mqtt.clients.m2mqtt.serverURI, which should have ssl instead of tcp scheme.

FatKoala commented 6 years ago

I had: mqtt.clients.m2mqtt.serverURI = ssl://192.168.2.34 mqtt.clients.m2mqtt.clientId = macchina mqtt.clients.m2mqtt.ssl.trustStore = m2mqtt_ca.crt

and now I added two that follow but still no connection. What directory should certificate be stored in? Maybe that is the problem. I have absolute path that points to cert right now. Should it be stored in some specially dedicated folder inside macchina or it doesn't matter?

obiltschnig commented 6 years ago

I'm a bit out of ideas here. It could be helpful to enable Paho logging on the client. This is done by setting some environment vars before starting macchina:

$ export MQTT_C_CLIENT_TRACE=ON
$ export MQTT_C_CLIENT_TRACE_LEVEL=TRACE_PROTOCOL

Maybe it will give you a better hint what goes wrong.

FatKoala commented 6 years ago

Hello, I managed to make it work. I am not sure what was wrong but I think that my client wasn't able to read certificate. Thank you for the help, environment variables helped with finding the issue. Note: I moved my .crt file to /etc/ssl/certs folder and than everything worked.