MQTT server with SSL/TLS Error: Unable to load server key file

Question

I am trying to set up an MQTT broker with SSL. When I start the broker, I get this error:

1452342536: Error: Unable to load server key file "/home/ilab/mqtt/server/server.key". Check keyfile.

The following is my mosquitto.conf:

pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
cafile /home/ilab/mqtt/CA/ca.crt
certfile /home/ilab/mqtt/server/server.crt
keyfile /home/ilab/mqtt/server/server.key
port 8883
tls_version tlsv1

I also followed the step mentioned in THIS question. But still didn't solve the problem.

Does the key have a password? – hardillb Jan 09 '16 at 14:21 — hardillb, Jan 09 '16 at 14:21
@hardillb Yes, it has a password. – Ankur Bhatia Jan 09 '16 at 21:44 — Ankur Bhatia, Jan 09 '16 at 21:44

score 3 · Answer 1 · answered Jan 11 '16 at 21:30

3

As @hardillb implies, try removing the password or start the broker manually.

Alternatively, if you're on Ubuntu then apparmor may be restricting access to those files. Try put them in /etc/mosquitto/certs instead.

answered Jan 11 '16 at 21:30

ralight

11,033
3
49
59

score 2 · Answer 2 · answered Mar 30 '18 at 16:42

2

I had the same issue. I fixed it by providing the fullchain.pem instead of the chain.pem in the configuration.

answered Mar 30 '18 at 16:42

Lu.Wi

71
1
2

1

how did you create fullpem ? i have cafile /etc/mosquitto/certs/mqtt_ca.crt certfile /etc/mosquitto/certs/mqtt_srv.crt keyfile /etc/mosquitto/certs/mqtt_srv.pem files – Isaiyavan Babu Karan May 27 '19 at 14:13
1

can you please provide an example of fullchai configuration in mosquitto? tnx – Fabio Aug 05 '19 at 18:29

score 0 · Answer 3 · answered Jun 29 '17 at 03:47

0

You can even try changing the name of server.crt to cert.pem and server .key to key.pem in the path mqtt/certs/ Also don't forget to change the path and file name in your code.

answered Jun 29 '17 at 03:47

Sumit Pugalia

25
1

score 0 · Answer 4 · edited Jul 13 '23 at 12:10

0

I had similar issue and it seems like it got fixed by changing the permissions to read the file from: -rw------- to -rw-r--r-- for the file /etc/mosquitto/certs/mqtt-server.key

Steps:

Navigate to the directory

cd /etc/mosquitto/certs

List file permissions (-rw-------)

ls -l

As root, change all users permission to read the file

sudo chmod a+r mqtt-server.key

List file permissions again to see changes (now -rw-r--r--)

ls -l

Restart the broker/server

sudo systemctl restart mosquitto

I not sure if this pose any security issue, but hope not. Planning on using authorization and encryption to access the server from the web.

edited Jul 13 '23 at 12:10

hardillb

54,545
11
67
105

answered Jul 13 '23 at 10:17

johnsmith

9
2

Private keys should be readable by the smallest number of users as possible. This makes the file world readable which is not secure – hardillb Jul 16 '23 at 16:24
Is that so even if I demand the clients to authenticate over a TLS connection? That is not good, will try some of the other solutions in this thread then. – johnsmith Jul 17 '23 at 09:15

MQTT server with SSL/TLS Error: Unable to load server key file

4 Answers4