Test VerneMQ broker TLS with Mosquitto client

Question

Background

• I setup and configured VerneMQ Broker. Broker is in docker container and I start it using docker-compose.yml. This is how my docker-compose file looks:

version: '3.3'
services:
  db:
    image: erlio/docker-vernemq
    container_name: vernemq1
    network_mode: docker_mysql_default
    restart: always
    environment:
      DOCKER_VERNEMQ_ALLOW_ANONYMOUS: 'off'
      DOCKER_VERNEMQ_PLUGINS.vmq_diversity: 'on'
      DOCKER_VERNEMQ_PLUGINS.vmq_passwd: 'off'
      DOCKER_VERNEMQ_PLUGINS.vmq_acl: 'off'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.auth_mysql.enabled: 'on'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.host: 'docker_mysql'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.port: '3306'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.user: 'vernemq'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.password: 'vernemq'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.database: 'vernemq_db'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.password_hash_method: 'md5'
      DOCKER_VERNEMQ_LISTENER__SSL__CAFILE: '/vernemq/etc/ssl/chain.pem'
      DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE: '/vernemq/etc/ssl/cert.pem'
      DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE: '/vernemq/etc/ssl/privkey.pem'
      DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT: '0.0.0.0:8081'
      DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__USE_IDENTITY_AS_USERNAME: 'off'
      DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__REQUIRE_CERTIFICATE: 'off'
    ports:
      # <Port exposed> : <Port running inside container>
      - '1883:1883'
      - '8081:8081'
    expose:
      # Opens port 1883 on the container
      - '1883'
      - '8081'
      # Where our data will be persisted
    volumes:
     - /var/lib/
     - /home/ubuntu/etc/ssl:/vernemq/etc/ssl
# Name our volume
volumes:
  my-db:

• I am using MySQL database for authentication
• I am trying to use TLS certificates, based on the provided documentation ( https://docs.vernemq.com/configuration/listeners#sample-ssl-config )
• This setup is fully functional when I'm not trying to accept SSL connections (this means, when I remove the following lines from docker-compose.yml):

DOCKER_VERNEMQ_LISTENER__SSL__CAFILE: '/vernemq/etc/ssl/chain.pem'
DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE: '/vernemq/etc/ssl/cert.pem'
DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE: '/vernemq/etc/ssl/privkey.pem'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT: '0.0.0.0:8081'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__USE_IDENTITY_AS_USERNAME: 'off'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__REQUIRE_CERTIFICATE: 'off'

• I tested/verified the TLS connection using openssl client: openssl s_client -connect 172.18.0.4:8081 -key privkey.pem -cert cert.pem I executed this from server localhost, 172.18.0.4 is the IP Address of vernemq docker container, 8081 is the expected SSL default port (listener) and key/cert are provided and this is the outcome (I suppose it means the TLS listener works):

Question

How can I test this using mosquitto client or any other mqtt client? I want to use TLS based connection when publishing and subscribing.

When I don't use TLS, this is how I execute mosquitto_sub (subscription client): mosquitto_sub -h <ip_address> -p 1883 -t topic -d -u user -P password -i client-id

This is the response: VerneMQ Subscription

When I try to use TLS, I add the --key and --cert options to use private key and certificate: mosquitto_sub -h <ip_address> -p 1883 -t topic -d -u user -P password -i client-id --key privkey.pem --cert cert.pem

I only get Client user sending CONNECT repeatedly. What am I doing wrong?

Answer 1

some things you need to do give correct permissions to your certificate directory you need to ensure the permission set to the user running verneMQ in my case its "vernemq" now next things is to setup the permissions to certificate folder

chown -R vernemq:vernemq /etc/letsencrypt/live

All the configurations files should be in .pem format

listener.ssl.cafile = /etc/letsencrypt/live/mqtts.domain.com/chain.pem
listener.ssl.certfile = /etc/letsencrypt/live/mqtts.domain.com/cert.pem
listener.ssl.keyfile = /etc/letsencrypt/live/mqtts.domain.com/privkey.pem

Client must use Fullchain.pem to connect to Server if you do not have The domain certificate is issued by intermediate “Let’s Encrypt Authority X3”, this intermediate is cross-signed by “DST Root CA X3” (from IdenTrust). IdenTrust is widely trusted by most OSes and applications, we will “DST Root CA X3” as root CA. if you are not on too old OS then you could use this from your local machine

cat /etc/ssl/certs/DST_Root_CA_X3.pem /etc/letsencrypt/live/$domain/chain.pem > ca.pem

Answer 2

From the mosquitto_sub man page:

Encrypted Connections

mosquitto_sub supports TLS encrypted connections. It is strongly recommended that you use an encrypted connection for anything more than the most basic setup.

To enable TLS connections when using x509 certificates, one of either --cafile or --capath must be provided as an option.

---

--capath

Define the path to a directory containing PEM encoded CA certificates that are trusted. Used to enable SSL communication.

For --capath to work correctly, the certificate files must have ".crt" as the file ending and you must run "openssl rehash " each time you add/remove a certificate.

To use the mosquitto_sub command you must supply either a file with the trusted CA certificate or a directory holding a collection of trusted CA certificates