Securing personal MQTT with Lets Encrypt SSL

If you’re having issues securing your personal MQTT broker with certs generated by LetsEncrypt, consider that you may need to upload the chain.pem to the (inthiscase) ESP32 and then point the settings to that exact cert. I could connect to the MQTT broker with other devices just fine however the ESP would not connect and threw GET_CLIENT_HELLO: unknown protocol errors.

Not an expert, but it *seems that the ca-bundle doesn’t contain letsencrypt. I may just be using it wrong, but my working config below.

You’re probably seeing something like this from the console.

1457358950: New connection from mqtt.yourserv.com on port 8883.
1457358950: OpenSSL Error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
1457358950: Socket error on client <unknown>, disconnecting.

on the server locate you chain.pem, on linux probably in /etc/letsencrypt/live/mqtt.yourserver.com/chain.pem
download that file and upload it to your ESP device via the filemanager in “manage” devices from the mongoose dashboard.

Config for the device should look similar to this

"mqtt": {
    "enable": true,
    "server": "mqtt.yourserv.com:8883",
    "client_id": "someid",
    "user": "yourusr",
    "pass": "yourpass",
    "reconnect_timeout_min": 2,
    "reconnect_timeout_max": 60,
    "ssl_cert": "",
    "ssl_key": "",
    "ssl_ca_cert": "/chain.pem",
    "ssl_cipher_suites": "",
    "ssl_psk_identity": "",
    "ssl_psk_key": "",
    "clean_session": true,
    "keep_alive": 60,
    "will_topic": "",
    "will_message": "",
    "max_qos": 2,
    "recv_mbuf_limit": 3072,
    "require_time": false,
    "cloud_events": true
  },

This article kind of addresses it, but it’s super confusing.

2 Likes