1

I am hosting an MQTT broker on a linux server. So far none of the MQTT clients has any problem connecting (sub/pub) until I added the "crlfile" line in the Mosquitto configuration file. When I have the "crlfile" set in the configuration file, none of the clients can connect. What's weird is that the CRL file actually has no certs revoked. However, this error will come out for all clients:

Error: The connection was lost.

I am using Mosquitto 2.0.12 and here is my Mosquitto configuration file:

# For listener with port 1883
#listener 1883

# Set 8883 as the listener (port)
listener 8883

# Path to the password file
#password_file /etc/mosquitto/passwords

# Path to the cafile
cafile /etc/mosquitto/certs/ca.crt

# Path to the broker cert file
certfile /etc/mosquitto/certs/broker.crt

# Path to the broker key file
keyfile /etc/mosquitto/certs/broker.key

# Path to the CRL file
crlfile /etc/mosquitto/certs/ca.crl

# Whether a certificate is required to connect (Set to true for TLS)
require_certificate true

# Allow anonymous connection (Set to false for TLS)
allow_anonymous false

# Path to Dynamic Security Plugin
plugin /usr/lib/x86_64-linux-gnu/mosquitto_dynamic_security.so

# Path to Dynamic Security config file
plugin_opt_config_file /etc/mosquitto/conf.d/dynamic-security.json

# Whether each listener has the same settings
per_listener_settings false
Zharfan Zahisham
  • 143
  • 1
  • 9
  • 1
    Have you looked at the mosquitto logs? And has the CRL expired, they have a finite life when created. As it is we really don't have enough information to make any real recommendations. – hardillb Dec 06 '21 at 08:44
  • I apologize for the very late reply. I've managed to fix it. The problem was that the CRL file was created using Python and the expiry date was set wrongly. After I corrected the expiry date, the CRL file generated no longer causes any problem to my MQTT broker. @hardillb – Zharfan Zahisham Mar 09 '22 at 08:26

1 Answers1

0

I managed to fix the issue. The CRL file was generated using Python's cryptography library. The issue was that when I set the last update and next update datetime, I set it using my local time when I should've set it based on UTC time. So I changed my code from

crl_builder = crl_builder.last_update(datetime.utcnow())
crl_builder = crl_builder.next_update(datetime.utcnow() + timedelta(days=365000))

to

crl_builder = crl_builder.last_update(pytz.utc.localize(datetime.utcnow()))
crl_builder = crl_builder.next_update(pytz.utc.localize(datetime.utcnow()) + timedelta(days=365000))

And now my Mosquitto broker works fine :)

Zharfan Zahisham
  • 143
  • 1
  • 9
  • Hello, I guess I have the same problem, but to be honest I don't understand why there is been a problem with the first lines. Can you give a more detailed explanation? – Ace of Spade Jul 22 '22 at 08:19
  • Hi @AceofSpade, sorry for the late reply. I suppose it's because my local time is GMT+8 which means that if it is read as UTC (which I assume the Mosquitto broker does), the "last_update" variable would be in the future which is invalid and that probably caused the Mosquitto broker to not be able to read it properly. – Zharfan Zahisham Jul 28 '22 at 02:25
  • Thank you, didn't solve my problem but thanks anyway. – Ace of Spade Jul 28 '22 at 06:21