TLS setup failed: MqttException

[anterosa]

After updating to 2.2.2 I got subjectAltNames issue with working setup. After going through that issue made new self signed certificate, but after some try and error cycles got stuck with "TLS setup failed: MqttException"

I tried to follow booklet quidelines and TLS section instructions. Atleast booklet pics look outdated and does not outline the need to use combined format for Android 10. I managed to figure that out, but got stuck in something else.

Not sure if this related to server or Owntracks? Can somebody tell that from error description?

My last attemp to make cert: openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -days 1826 -key ca.key -out ca.crt -config reqca.conf openssl genrsa -out server.key 2048 openssl req -new -out server.csr -key server.key openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1826 openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca-combined.p12

reqca.conf: [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = FI ST = HA L = YLOJARVI O = SalojarviA OU = A CN = asalojarvi.fi [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = .fi (domain hidden) DNS.2 = .dy.di

• App build number: 2.2.2
• Android version: OxygenOS 10.0.10
• Device: OnePlus 7T pro
• **Server RPI- Raspian Strecth running mosquitto 1.4.10

[growse]

Is there any clue in the OT log as to what might be failing?

[anterosa]

Owntracks Log File.txt

Some instructions refer to certificate password. "Only password protected certs supported" Is this refering to compined .p12 password or ca.crt password?

Mosquitto log from server: 1616407664: Socket error on client , disconnecting. 1616407725: New connection from 192.168.1.1 on port 8883. 1616407725: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown 1616407725: Socket error on client , disconnecting. 1616408059: New connection from 192.168.1.1 on port 8883. 1616408059: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown 1616408059: Socket error on client , disconnecting.

[grimpeur78]

I am facing a similar issue, but without using subjectAltName.

My mosquitto.log reads: 1616435440: New connection from :43380 on port 8883.
1616435440: OpenSSL Error[0]: error:14035416:SSL routines:ACCEPT_SR_CERT:sslv3 alert certificate unknown
1616435440: OpenSSL Error[1]: error:140350E5:SSL routines:ACCEPT_SR_CERT:ssl handshake failure
1616435440: Client disconnected: Protocol error.

[growse]

@grimpeur78 what do you mean "without using subjectAltName"?

Either your server leaf certs need to have the subjectAltName attribute present, or you need to provide the server leaf certificate as the CA certificate in the OT app.

[growse]

@anterosa it's not clear what your intention is from looking at your openssl commands.

1. It's not obvious why you're providing SANs to your CA cert (by passing -config reqca.conf to your CA cert generation command). Did you mean to create SANs on your server certificate? I'm not even sure what having a SAN on a CA cert even means.
2. It's also not clear why you're creating a p12 bundle of your CA cert / key. If you're using your own CA, the OT client only needs the CA certificate. The key should never leave the device you use for signing other certs.

openssl is hard to use, which is why I keep recommending that people use more modern tools like mkcert.

[grimpeur78]

@grimpeur78 what do you mean "without using subjectAltName"?

Either your server leaf certs need to have the subjectAltName attribute present, or you need to provide the server leaf certificate as the CA certificate in the OT app.

I've gotten my issue sorted out this morning using the generate-CA.sh scripts. Everything is working perfectly again, thanks!

[anterosa]

@growse 1) I thought that OT specifically needs SAN in CA cert. (Original problem with old cert was lack of subjectAltNames) It should be in server cert? (Not used SAN's before so not very clear to me)

2)p12 bundle is needed to install cert on Android10 phone or atleast it worked that way. (There was some discussion on web that it came with Android 10)

I am willing to to move to mkcert, but did not find good instructions on use of it. Not very easy with to install to raspberry either.

[growse]

1. The subjectAlternateNames is a list of names for which a server TLS certificate may be presented on. TLS clients check the name that they they're connecting to is contained within the SAN list of the certificate presented to ensure that the cert is actually valid for that name, and not some completely different cert. The CA cert is just the cert that's used by an authority to sign the server certificate. The TLS client only really cares that the CA cert is (a) trusted (either specified explicitly or in the system store) and (b) valid (is correctly formatted and has the appropriate attributes set for a CA cert).

2. I think you're confusing installing a CA cert that's used to trust TLS connections where the server cert is signed by that CA with actually using client certificates, which requires a cert/key pair actually to be shipped to the client's device. Are you trying to use client certificates?

mkcert has arm builds on the release page: https://github.com/FiloSottile/mkcert/releases/tag/v1.4.3

[anterosa]

I used https://github.com/owntracks/tools/tree/master/TLS and got it working. Thanks for advice! My mistake was that SAN's should be integrated to client side cert. From @growse 's comments and going trough TLS tool script I got better understanding. My phone did not accept ca.crt with SAN'n inside, so I was missleaded to use .p12 format.