[A TLS error occurred.]: unknown reason.

[guillebot]

Hi everybody. Sorry for bothering you.

I had recorder working fine, but in one of those innecesary update rallies I changed some components of my openSUSE leap box and it stopped working.

I would be extremely thankful at any pointers regarding this troubleshooting.

Below everything I did:

Relevant entries of ot-record config file:

OTR_CAFILE="/etc/mosquitto/certs/ca.crt"
OTR_CAPATH="/etc/mosquitto/certs/"
OTR_CERTFILE="/etc/mosquitto/certs/ot-recorder.crt"
OTR_KEYFILE="/etc/mosquitto/certs/ot-recorder.key"

Error message:

Aug 30 13:28:31 openhab mosquitto[708]: New connection from 192.168.1.2 on port 8883.
Aug 30 13:28:31 openhab mosquitto[708]: OpenSSL Error: error:140780E5:SSL routines:ssl23_read:ssl handshake failure
Aug 30 13:28:31 openhab mosquitto[708]: Socket error on client <unknown>, disconnecting.

This is not a file permissions issue, as we can see in this strace output:

access("/etc/mosquitto/certs/ca.crt", R_OK) = 0
openat(AT_FDCWD, "/etc/mosquitto/certs/ca.crt", O_RDONLY) = 18
close(18)                               = 0
openat(AT_FDCWD, "/etc/mosquitto/certs/ot-recorder.crt", O_RDONLY) = 18
close(18)                               = 0
openat(AT_FDCWD, "/etc/mosquitto/certs/ot-recorder.key", O_RDONLY) = 18
close(18)                               = 0

This is a test with mosquitto_sub, with the same files, working:

openhab:~/recorder-master # mosquitto_sub -h localhost -p 8883 -t '#' --cafile /etc/mosquitto/certs/ca.crt --capath /etc/mosquitto/certs/ --tls-version tlsv1.2 --key /etc/mosquitto/certs/ot-recorder.key --cert /etc/mosquitto/certs/ot-recorder.crt
0.00
Undefined
2018-08-30T13:29:58
0.89

This are my permissions, but everything now it's running as root

openhab:/etc/mosquitto/certs # ls -la
total 52
drwxr-xr-x 1 root      mosquitto  330 Aug 20 08:25 .
drwxr-xr-x 1 root      mosquitto  268 Aug 30 12:51 ..
-rw-r--r-- 1 root      mosquitto  130 Aug 20 08:25 README
-r--r--r-- 1 mosquitto mosquitto 1326 Oct 12  2017 ca.crt
-r-------- 1 mosquitto mosquitto 1704 Oct 12  2017 ca.key
-rw-r--r-- 1 mosquitto mosquitto   17 Oct 12  2017 ca.srl
-r--r--r-- 1 mosquitto mosquitto 1541 Oct 18  2017 mqttwarn.crt
-rw-r--r-- 1 mosquitto mosquitto  891 Oct 18  2017 mqttwarn.csr
-r-------- 1 mosquitto mosquitto 1679 Oct 18  2017 mqttwarn.key
-r--r--r-- 1 mosquitto mosquitto 1879 Oct 12  2017 openhab.libertad.crt
-rw-r--r-- 1 mosquitto mosquitto 1009 Oct 12  2017 openhab.libertad.csr
-r--r--r-- 1 mosquitto mosquitto 1675 Oct 12  2017 openhab.libertad.key
-r--r--r-- 1 mosquitto mosquitto 1545 Oct 19  2017 ot-recorder.crt
-rw-r--r-- 1 mosquitto mosquitto  895 Oct 19  2017 ot-recorder.csr
-r-------- 1 mosquitto mosquitto 1679 Oct 19  2017 ot-recorder.key

Sorry about the indenting, don't know how to fix it.

More info: the rest of the suite is working. Owntracks iOS it's running ok, the same with mqttwarn.

Every app it's connecting to port 8883 using TLS.

Thanks in advance!

Guillermo

[jpmens]

Has your TLS certificate (openhab.libertad.crt) expired? Was this issued by Let's Encrypt?

[guillebot]

As usual, thank you very much for your time.

I think it's valid until 2032.

 openhab:/etc/mosquitto/certs # openssl x509 -in openhab.libertad.crt -text -noout
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             d0:a4:36:a0:e0:10:70:25
     Signature Algorithm: sha512WithRSAEncryption
         Issuer: CN = An MQTT broker, O = OwnTracks.org, OU = generate-CA, emailAddress = nobody@example.net
         Validity
             Not Before: Oct 12 20:59:15 2017 GMT
             Not After : Oct  8 20:59:15 2032 GMT

[guillebot]

Same about ot-recorder.crt

 openhab:/etc/mosquitto/certs # openssl x509 -in ot-recorder.crt -text -noout
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             d0:a4:36:a0:e0:10:70:30
     Signature Algorithm: sha512WithRSAEncryption
         Issuer: CN = An MQTT broker, O = OwnTracks.org, OU = generate-CA, emailAddress = nobody@example.net
         Validity
             Not Before: Oct 19 21:58:43 2017 GMT
             Not After : Oct 15 21:58:43 2032 GMT

[jpmens]

And /etc/mosquitto/certs/ca.crt? You're using that in your mosquitto invocation.

(Please learn to put code between code fences (a line containing three backticks))

[guillebot]

Oh thanks for the code markup tip. I was using the link at the top of this edit window and it was putting a single backtick.

All the crt files seems to be valid until 2032.

openhab:/etc/mosquitto/certs # openssl x509 -in /etc/mosquitto/certs/ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b8:02:39:b6:47:52:94:08
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN = An MQTT broker, O = OwnTracks.org, OU = generate-CA, emailAddress = nobody@example.net
        Validity
            Not Before: Oct 12 20:59:14 2017 GMT
            Not After : Oct  8 20:59:14 2032 GMT
        Subject: CN = An MQTT broker, O = OwnTracks.org, OU = generate-CA, emailAddress = nobody@example.net

[jpmens]

So it's only the Recorder that's not connecting to Mosquitto, right?

Where did you get that from? Can you please show me ocat -v ?

[guillebot]

Only recorder.

mqttwarn log:

2018-08-30 14:38:10,751 DEBUG [mqttwarn] Connected to MQTT broker, subscribing to topics...
2018-08-30 14:38:10,751 DEBUG [mqttwarn] Cleansession==False; previous subscriptions for clientid mqttwarn remain active on broker
2018-08-30 14:38:10,751 DEBUG [mqttwarn] Subscribing to hello/1 (qos=0)
2018-08-30 14:38:10,752 DEBUG [mqttwarn] Subscribing to owntracks/+/+ (qos=0)
2018-08-30 14:38:10,752 DEBUG [mqttwarn] Subscribing to owntracks/+/+/event (qos=0)
2018-08-30 14:38:10,752 DEBUG [mqttwarn] Subscribing to openhab/pushbullet/avisos (qos=0)
2018-08-30 14:38:10,797 DEBUG [mqttwarn] Message received on owntracks/guille/iphone: {"batt":85,"lon":-58.506762734076524,"acc":65,"p":101.17788696289062,"vac":10,"inregions":["home","barrio"],"lat":-34.532871341628464,"conn":"w","tst":1535649279,"alt":29,"_type":"location","tid":"gs"}
2018-08-30 14:38:10,797 DEBUG [mqttwarn] Section [owntracks-location] matches message on owntracks/guille/iphone. Processing...

mqttwarn relevant config lines:

ca_certs = '/etc/mosquitto/certs/ca.crt'
certfile = '/etc/mosquitto/certs/mqttwarn.crt'
keyfile =  '/etc/mosquitto/certs/mqttwarn.key'
tls_version = 'tlsv1'

ocat:

openhab:/opt/mqttwarn # ocat -v
This is OwnTracks Recorder, version 0.7.6
built with:
        WITH_MQTT = yes
        WITH_HTTP = yes
        WITH_PING = yes
        CONFIGFILE = "/etc/default/ot-recorder"
        STORAGEDEFAULT = "/var/spool/owntracks/recorder/store"
        STORAGEDIR = "/var/spool/owntracks/recorder/store"
        DOCROOT = "/var/spool/owntracks/recorder/htdocs"
        GHASHPREC = 7
        DEFAULT_HISTORY_HOURS = 6
        JSON_INDENT = "NULL"
        LIBMOSQUITTO_VERSION = 1.4.15
        MDB VERSION = LMDB 0.9.16: (August 14, 2015)
        GIT VERSION = tarball

[guillebot]

As there are no packages for opensuse, I compiled it myself from source.

I had done the same with recorder-0.7.2 and today I did with this git version.

I gave me no warnings, no errors, nothing. It would be possible that it compiled without a required module?

This is the make output:

openhab:~/recorder-master # make clean
rm -f *.o
openhab:~/recorder-master # make
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o recorder.o recorder.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o json.o json.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o gcache.o gcache.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o geo.o geo.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o geohash.o geohash.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o mkpath.o mkpath.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\" -Wno-unused-result -Wno-uninitialized -c base64.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o misc.o misc.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o util.o util.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o storage.o storage.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o fences.o fences.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o listsort.o listsort.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o mongoose.o mongoose.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o http.o http.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\" -o ot-recorder recorder.o json.o gcache.o geo.o geohash.o mkpath.o base64.o misc.o util.o storage.o fences.o listsort.o  mongoose.o http.o  -lm -lcurl -lconfig mdb/liblmdb.a -lpthread -L/usr/lib -lmosquitto -lm
if test -r codesign.sh; then /bin/sh codesign.sh; fi
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\"   -c -o ocat.o ocat.c
cc -Wall -Werror -DGHASHPREC=7 -Imdb/ -DWITH_MQTT=1 -I/usr/include -DWITH_PING=1 -DWITH_HTTP=1 -DJSON_INDENT=NULL -DSTORAGEDEFAULT=\"/var/spool/owntracks/recorder/store\" -DDOCROOT=\"/var/spool/owntracks/recorder/htdocs\" -DCONFIGFILE=\"/etc/default/ot-recorder\" -DGIT_VERSION=\"tarball\" -o ocat ocat.o json.o gcache.o geo.o geohash.o mkpath.o base64.o misc.o util.o storage.o fences.o listsort.o  -lm -lcurl -lconfig mdb/liblmdb.a -lpthread -L/usr/lib -lmosquitto -lm

[guillebot]

I am also using the same config file from last version (0.7.2), were there any important changes? I compared both and they seem to be the same.

[jpmens]

What's the TLS configuration for your Mosquitto look like? I'm willing to bet it says 'tlsv1' or something in mosquitto.conf. If so, would you please comment that out and restart Mosquitto, then try again?

If that fixes it, you'll have to change your mqttwarn.ini above, and also comment out the tls_version = 'tlsv1' line.

[guillebot]

Unfortunately, no:

openhab:/etc/mosquitto # cat mosquitto.conf|grep tls
# See also the mosquitto-tls man page.
# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the
# valid values are tlsv1.
#tls_version
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS

I also tried forcing tls_version tlsv1.2 and 1.1 with no luck.

Regarding mqttwarn, I commented out tls_version = 'tlsv1' on mqttwarn.ini and restarted without any problem.

2018-08-30 17:50:39,175 DEBUG [mqttwarn] Disconnecting from MQTT broker...
2018-08-30 17:50:39,176 INFO  [mqttwarn] Clean disconnection from broker
2018-08-30 17:50:39,176 INFO  [mqttwarn] Waiting for queue to drain
2018-08-30 17:50:39,176 DEBUG [mqttwarn] Exiting on signal 15
2018-08-30 17:50:40,324 INFO  [mqttwarn] Starting mqttwarn
2018-08-30 17:50:40,325 INFO  [mqttwarn] Log level is DEBUG
2018-08-30 17:50:40,326 DEBUG [mqttwarn] Service file loaded
2018-08-30 17:50:40,327 DEBUG [mqttwarn] Service log loaded
2018-08-30 17:50:40,439 DEBUG [mqttwarn] Service pushbullet loaded
2018-08-30 17:50:40,440 DEBUG [mqttwarn] Attempting connection to MQTT broker localhost:8883...
2018-08-30 17:50:40,440 DEBUG [mqttwarn] Setting LWT to clients/mqttwarn...
2018-08-30 17:50:40,452 INFO  [mqttwarn] Starting 1 worker threads
2018-08-30 17:50:40,453 DEBUG [mqttwarn] Job queue has 0 items to process
2018-08-30 17:50:40,454 DEBUG [mqttwarn] Connected to MQTT broker, subscribing to topics...
2018-08-30 17:50:40,454 DEBUG [mqttwarn] Cleansession==False; previous subscriptions for clientid mqttwarn remain active on broker
2018-08-30 17:50:40,454 DEBUG [mqttwarn] Subscribing to hello/1 (qos=0)
2018-08-30 17:50:40,454 DEBUG [mqttwarn] Subscribing to owntracks/+/+ (qos=0)
2018-08-30 17:50:40,454 DEBUG [mqttwarn] Subscribing to owntracks/+/+/event (qos=0)
2018-08-30 17:50:40,454 DEBUG [mqttwarn] Subscribing to openhab/pushbullet/avisos (qos=0)
2018-08-30 17:50:40,496 DEBUG [mqttwarn] Message received on owntracks/guille/iphone: {"batt":76,"lon":-58.506712619869184,"acc":65,"p":101.68399047851562,"vac":10,"lat":-34.532794855238024,"inregions":["barrio","home"],"t":"u","conn":"w","tst":1535662206,"alt":29,"_type":"location","tid":"gs"}
2018-08-30 17:50:40,496 DEBUG [mqttwarn] Section [owntracks-location] matches message on owntracks/guille/iphone. Processing...

[guillebot]

mosquito_sub seems to be able to connect with tls v1 or 1.2

openhab:/opt/mqttwarn # mosquitto_sub -h localhost -p 8883 -t 'owntracks/#' --cafile /etc/mosquitto/certs/ca.crt --capath /etc/mosquitto/certs/ --key /etc/mosquitto/certs/ot-recorder.key --cert /etc/mosquitto/certs/ot-recorder.crt --tls-version tlsv1
{"batt":75,"lon":-58.506750775229733,"acc":65,"p":101.66799163818359,"vac":10,"lat":-34.532833537005125,"inregions":["barrio","home"],"t":"u","conn":"w","tst":1535662396,"alt":29,"_type":"location","tid":"gs"}

^C
openhab:/opt/mqttwarn # mosquitto_sub -h localhost -p 8883 -t 'owntracks/#' --cafile /etc/mosquitto/certs/ca.crt --capath /etc/mosquitto/certs/ --key /etc/mosquitto/certs/ot-recorder.key --cert /etc/mosquitto/certs/ot-recorder.crt --tls-version tlsv1.2
{"batt":75,"lon":-58.506750775229733,"acc":65,"p":101.66799163818359,"vac":10,"lat":-34.532833537005125,"inregions":["barrio","home"],"t":"u","conn":"w","tst":1535662396,"alt":29,"_type":"location","tid":"gs"}

[jpmens]

I notice a difference between your last example and the very first posting on top: Above, when showing the Mosquitto log from (assumedly) the Recorder, it's connected from 192.168.1.2, whereas below, you're connecting to localhost.

What is the name of your Mosquitto broker, i.e. what's the common name (CN) in the certificate you're using? They should match.

[guillebot]

I was exploring this a lot.

127.0.0.1, localhost, 192.168.1.2, openhab and openhab.libertad are all names of this box

all of them resolve via hosts (file) to this box and connect to this mosquitto broker

I don't know exactly which one is the CN on the certificate.

On Sat, Sep 1, 2018 at 6:24 AM JP Mens notifications@github.com wrote:

I notice a difference between your last example and the very first posting on top: Above, when showing the Mosquitto log from (assumedly) the Recorder, it's connected from 192.168.1.2, whereas below, you're connecting to localhost.

What is the name of your Mosquitto broker, i.e. what's the common name (CN) in the certificate you're using? They should match.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/owntracks/recorder/issues/259#issuecomment-417845920, or mute the thread https://github.com/notifications/unsubscribe-auth/ABF62TOAQnnGR1WVGHaeyQ7mlhAwZ_N7ks5uWlJogaJpZM4WT0fi .

[guillebot]

So do you think that I should re create all the certs?

Issuer:` CN = An MQTT broker, O = OwnTracks.org, OU = generate-CA, emailAddress = nobody@example.net

[jpmens]

That’s the issuer CN. What’s the server certificate CN?

[guillebot]

I'm afraid the same:

 openhab:/etc/mosquitto/certs # openssl x509 -in openhab.libertad.crt -text -noout
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             d0:a4:36:a0:e0:10:70:25
     Signature Algorithm: sha512WithRSAEncryption
         Issuer: CN = An MQTT broker, O = OwnTracks.org, OU = generate-CA, emailAddress = nobody@example.net

[jpmens]

You are showing me the issuer.. I need the subject.

[guillebot]

All the subjects are also the same:

        Subject: CN = An MQTT broker, O = OwnTracks.org, OU = generate-CA, emailAddress = nobody@example.net

I guess I will have to re issue all the certificates with correct information at those fields.

I wonder why it worked ok until my recent update, and why openhab and owntracks iOS app are working fine. Perhaps ot-recorder it's being more strict/correct regarding TLS?

[jpmens]

If you have Recorder and Mosquitto running on the same machine, I'd have Recorder connect to 127.0.0.1 (or ::1) on 1883 and forget about the complexity.

[guillebot]

Done. Thanks for your time and for these great tools.

I had mosquitto answering only via TLS as a safeguard but it's not so important.

In the future I will try to do all the certs again.

Bests wishes