Problem whit TLS + Mosquitto + ESP32

#1
  1. My goal is: I have runing Moquitto + Mongoose os + ESP32 without TLS, and now i change my yml:

tags:

My init.js:
load(‘api_mqtt.js’);
load(‘api_gpio.js’);
let pin = 0, topic = ‘acaas’;
GPIO.set_button_handler(pin, GPIO.PULL_UP, GPIO.INT_EDGE_NEG, 200, function (gpio) {
print(‘Button press, GPIO’ + JSON.stringify(gpio));
if (MQTT.isConnected()) {
let res = MQTT.pub(‘acaas’, JSON.stringify({a: 1, b: 2}), 1);
print(‘Published:’, res ? ‘yes’ : ‘no’);
} else {
print(’*** MQTT is not connected ***’);
}
}, null);

this is my script to make the Self-signed:

Common parameters
SUBJ="/C=IE/ST=Dublin/L=Docks/O=MyCompany/CN=howdy"
Generate CA
openssl genrsa -out ca-mongoose.key 2048
openssl req -new -x509 -days 365 -key ca-mongoose.key -out ca-mongoose.crt -subj /C=IE/ST=Dublin/L=Docks/O=mos/CN=me

Generate client cert
openssl genrsa -out client-mongoose.key 2048
openssl req -new -key client-mongoose.key -out client-mongoose.csr -subj $SUBJ
openssl x509 -req -days 365 -in client-mongoose.csr -CA ca-mongoose.crt -CAkey ca-mongoose.key -set_serial 01 -out client-mongoose.crt

Generate server cert
openssl genrsa -out server-mongoose.key 2048
openssl req -new -key server-mongoose.key -out server-mongoose.csr -subj $SUBJ
openssl x509 -req -days 365 -in server-mongoose.csr -CA ca-mongoose.crt -CAkey ca-mongoose.key -set_serial 01 -out server-mongoose.crt

After flash ESP32 y upload 3 certificates:
mos put ca-mongoose.crt
mos put server-mongoose.crt
mos put server-mongoose.key

on the console I get the following error:
mongooseos4

And my mosquitto sub:
mosquitto_sub --cafile ca.crt --tls-version tlsv1.1 --insecure -h 192.168.1.10 -t “acaas” -p 8883

I don’t now what is the problem, is the certificate? i need force use a version tlsv1.1 equal to moskitto? how is the correct path to save all certificate in my proyect?

#2

your msg is too long and I’m too lazy to read it all.
If you think the problem is the certificate, use it in mosquitto_pub and see what happens. However, if you see the logs, mos will tell you if there is a certificate problem.
Here you have a working TLS config with tested certificates. Even if you can’t fully understand the whole explanation in spanish here, I guess the context will be helpful to you.

Oh… that “server version out of bounds” is a mosquitto misconfiguration on your part, see the doc I linked, do not play with the version setting in Mosquitto, just use a recent version.
E,g: (copied from the linked doc with author permission)
Broker autentication only

listener 8883 192.168.5.1
log_dest syslog
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

Mutual autentication

listener 8883 192.168.5.1
log_dest syslog
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
require_certificate true
#3

Thanks for you andwer, now i have mosquitto working with mutual authentication, therefore, I already have the correct certificates, but when I follow the example you shared with me in the console I see the following:
mongooseos5

any ideas what may be the problem?

#4

Perhaps the ca.crt in your device does not match the one in your Mosquitto server ?
If you plan to run that example with your server as it is, you have to replace the ca.crt in your device with the one you used to sign your server certificate. Otherwise you can replace all three files in your server (ca certificate, server certificate, server key) with the ones in the example.

#5

We give this query as solved because for my MVP it is not necessary to double authentication, likewise, I thank you for your answers