MQTT TLS issue

[ackleyimproved]

I have a working MQTT server and can run the command:

mosquitto_pub -h -p 8883 -t test -m test --cafile ca.crt --cert client.crt --key client.key -u dummyuser P dummypass

This works as expected and I receive a test message on the test topic.

I have then converted it to a pl12 file using:

openssl pkcs12
-legacy
-export
-in client.crt
-inkey client.key
-name "Jane's certificate/key"
-out jjolie.p12

I then import ca.cert and jjolie.p12 into my cellphone. The ca.cert is showing "Trusted Certificates" and User Certificates.
On the owntracks app 2.5.3 i install the jjolie.p12 client certificate through "Install client certificate" button and "Allow" this certificate in the "Client certificate section".

I set "Credentials" to dummyuser and dummypass.

On my MQTT server I am getting only New connection message (from device and "Client closed its connection message"

I am unsure why I am getting this error and I have tried on two android devices. I think I am missing something in the pkcs12 conversion. I have tried with and without legacy.

[growse]

What logs / status message do you get in the app?

[ackleyimproved]

Hello, I have the output from owntracks app below. I have also tried with a different crt key pair and its doing the same thing. There may be an issue of how I make the p12 file or how it works with my cellphone which is a anroid oppo.

`

> 2025-01-21 19:51:48.828 D [DefaultDispatcher-worker-7] Scheduler: Scheduled ONETIME_TASK_MQTT_RECONNECT job
> 2025-01-21 19:51:48.828 D [DefaultDispatcher-worker-7] MQTTMessageProcessorEndpoint$connectToBroker: MQTT connection attempt completed in 531.371154ms
> 2025-01-21 19:51:48.828 I [DefaultDispatcher-worker-7] MQTTReconnectWorker: MQTT reconnect worker job completed, status Retry
> 2025-01-21 19:52:28.865 I [DefaultDispatcher-worker-7] MQTTReconnectWorker: MQTT reconnect worker job started
> 2025-01-21 19:52:28.867 D [DefaultDispatcher-worker-7] MQTTMessageProcessorEndpoint$disconnect: Client already disconnected
> 2025-01-21 19:52:28.867 D [DefaultDispatcher-worker-7] MQTTMessageProcessorEndpoint$disconnect: Unregistered ping alarm receiver
> 2025-01-21 19:52:28.867 D [DefaultDispatcher-worker-7] MQTTMessageProcessorEndpoint$disconnect: MQTT disconnected in 1.025ms
> 2025-01-21 19:52:28.872 D [DefaultDispatcher-worker-7] AsyncPingSender: Initializing MQTT keepalive AsyncPingSender with comms org.eclipse.paho.client.mqttv3.internal.ClientComms@9de7be8
> 2025-01-21 19:52:29.185 I [DefaultDispatcher-worker-7] MQTTMessageProcessorEndpoint$connectToBroker: Connecting to ssl://mqtt.mydnshost.org:8883?# timeout = 30s
> 2025-01-21 19:52:29.366 E [DefaultDispatcher-worker-7] MQTTMessageProcessorEndpoint$connectToBroker: MQTT client unable to connect to endpoint
> MqttException (0) - javax.net.ssl.SSLPeerUnverifiedException: Host: mqtt.mydnshost.org, Peer Host: mqtt.mydnshost.org
> 	at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:233)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:487)
> 	at java.util.concurrent.FutureTask.run(FutureTask.java:264)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:307)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
> 	at java.lang.Thread.run(Thread.java:1012)
> Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host: mqtt.mydnshost.org, Peer Host: mqtt.mydnshost.org
> 	at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SourceFile:144)
> 	at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:66)
> 	... 6 more
> 
> 2025-01-21 19:52:29.367 D [DefaultDispatcher-worker-7] Scheduler: Scheduled ONETIME_TASK_MQTT_RECONNECT job
> 2025-01-21 19:52:29.367 D [DefaultDispatcher-worker-7] MQTTMessageProcessorEndpoint$connectToBroker: MQTT connection attempt completed in 498.865846ms
> 2025-01-21 19:52:29.367 I [DefaultDispatcher-worker-7] MQTTReconnectWorker: MQTT reconnect worker job completed, status Retry`

[growse]

SSLPeerUnverifiedException means you're either not trusting the right CA in your device root store, or the leaf cert presented by the server doesn't have your hostname in the SAN field.

[ackleyimproved]

Thank you.

I noticed it is probably the same issue as #1694. I think I am having trouble generating a proper certificate and key that works.

I created a new server.crt and server.key based on this script generate-CA.sh but getting the below error message in mosquitto_pub

OpenSSL Error[0]: error:0A000413:SSL routines::sslv3 alert unsupported certificate

My server certificate is as follows, mosquitto is running fine

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            60:2d:fa:81:0e:ec:ae:61:91:a2:5f:06:07:bf:e6:30:8b:09:85:b9
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = NZ, ST = randomtext L = AKL, O = randomtext OU = OU, CN = mqtt.mydomain.com
        Validity
            Not Before: Jan 24 23:38:11 2025 GMT
            Not After : Jan 22 23:38:11 2035 GMT
        Subject: C = US, ST = Home, L = server, O = jt, OU = AA, CN = mqtt.mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus: (edited)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            Netscape Comment: 
                Broker Certificate
            X509v3 Subject Key Identifier: 
                E4:3E:99:51:B5:91:8D:35:37:edited out
            X509v3 Authority Key Identifier: 
                keyid:ED:29:0E:77:B5:8E:FB:7edited out
                DirName:/C=NZ/ST=CHCL=AKL/O=uss/OU=OU/CN=mqtt.mydomain.com
                serial:6B:C0:23:6D:28:A3:88:D4:33:08:19:8E:82:7E:C5:03:A1:2B:D0:BC
            X509v3 Subject Alternative Name: 
                DNS:mqtt.mydomainname.com
            X509v3 Certificate Policies: 
                Policy: 1.3.5.8
                  CPS: http://localhost
                  User Notice:
                    Organization: OwnTracks
                    Number: 1
                    Explicit Text: This CA is for a local MQTT broker installation only
    Signature Algorithm: sha512WithRSAEncryption
    Signature Value:

[ackleyimproved]

I have also just ran the generate-CA.sh script uncommenting the hostlist and IP list and adding my local ip and mqtt.domainname.com to these variables. Restarted mosquiito using the updated files and its presenting the same error message when I run mosquitto pub.

[jpmens]

        Subject: C = US, ST = Home, L = server, O = jt, OU = AA, CN = mqtt.mydomain.com
                DNS:mqtt.mydomainname.com

please either obfuscate correctly or show us the real values. If these really differ that will cause trouble

[jpmens]

you're either not trusting the right CA in your device root store

You've also not indicated whether the CA is in your device.

[ackleyimproved]

        Subject: C = US, ST = Home, L = server, O = jt, OU = AA, CN = mqtt.mydomain.com
                DNS:mqtt.mydomainname.com

please either obfuscate correctly or show us the real values. If these really differ that will cause trouble

Are these values important? As I understand only the CN has to match my domain host pointing to the mqtt server (it does).

The SAN is configured to DNS:mqtt.mydomainname.org

[ackleyimproved]

you're either not trusting the right CA in your device root store

You've also not indicated whether the CA is in your device.

Yes I both imported the .p12 file as well as the ca.crt file to the android app.

FYI for the time being I have set "require_certificate false" in mosquitto so only the CA is checked. Its working however would still would like to use the client certificates.

[jpmens]

As I understand only the CN has to match my domain host pointing to the mqtt server

That is wrong. Start reading here

[ackleyimproved]

Thank you, I have somewhat sorted it out by butchering the generateCA.sh script. I failed to mention I was trying to use the server.crt and server.key produced by the script to test in mosquitto_sub/pub however these wont work. I then generated the client.cert and tested it and it works just fine.

Being not that well versed in certificates I was relying on tutorials on internet (owntracks + mosquitto) and I believe all of these tutorials out of date in terms of generating proper certificates.