Develop Reference

Mosquitto 2.0.14 MQTT with TLS1.2 connection issues Client <unknown> disconnected due to malformed packet

Mosquitto 2.0.14 Ubuntu 20.04 i9-12900, TLS1.2 connection issues
This all works perfectly until I try to secure it. I have added the details below, of how I created the certificates, logs, config file and how I am trying to connect. If anyone could point me in the correct direction, I would greatly appreciate it.
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
openssl genrsa -out mosquitto.key 2048
openssl req -new -key mosquitto.key -out mosquitto.csr
openssl x509 -req -in mosquitto.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mosquitto.crt -days 3650 -sha256
openssl x509 -in ca.crt -out ca.pem //not sure this step was needed
/var/log/mosquitto/mosquitto.log
1643315161: mosquitto version 2.0.14 starting
1643315161: Config loaded from /etc/mosquitto/mosquitto.conf.
1643315161: Opening ipv4 listen socket on port 8883.
1643315161: Opening ipv4 listen socket on port 1883.
1643315161: Opening ipv6 listen socket on port 1883.
1643315161: mosquitto version 2.0.14 running
1643315168: New connection from 192.168.1.99:46526 on port 8883.
1643315168: Client <unknown> disconnected due to malformed packet.
1643315228: New connection from 192.168.1.99:46558 on port 8883.
1643315228: Client <unknown> disconnected due to malformed packet.
/etc/mosquitto/mosquitto.conf
per_listener_settings true
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
cafile /etc/mosquitto/ca_certificates/ca.pem
keyfile /etc/mosquitto/certs/mosquitto.key
certfile /etc/mosquitto/certs/mosquitto.crt
tls_version tlsv1.2
#default port
listener 8883 192.168.1.99
require_certificate true
allow_anonymous true
protocol mqtt
connection_messages true
log_type debug
log_type error
log_type warning
log_type notice
log_type information
Trying to add subscribe like this
mosquitto_sub -V mqttv311 -h 192.168.1.99 -p 8883 --cafile /etc/mosquitto/ca_certificates/ca.pem -t sensors/drone01/altitude -d
Edit one
I created a client certificate:
openssl x509 -req -in client.csr -CA /etc/mosquitto/ca_certificates/ca.crt -CAkey /etc/mosquitto/ca_certificates/ca.key -CAcreateserial -out client.crt -days 90
To subscribe:
mosquitto_sub -V mqttv311 -h 192.168.1.99 -p 8883 --cert ./client.crt --key ./client.key -t sensors/drone01/altitude -d
Same message in the log file:
1643322374: New connection from 192.168.1.99:49000 on port 8883. 1643322374: Client <unknown> disconnected due to malformed packet.

Here is a basic setup to get you started. I created the certificates in the same way you did (I usually use certstrap for this due to its ease of use):
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
openssl genrsa -out mosquitto.key 2048
openssl req -new -key mosquitto.key -out mosquitto.csr
openssl x509 -req -in mosquitto.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mosquitto.crt -days 3650 -sha256
When generating mosquitto.csr I gave it the CN (Common Name) 127.0.0.1. Basic mosquitto.conf:
log_type all
# Don't do the below in production (it allows anyone to connect with no auth)
allow_anonymous true
listener 8883
keyfile /path/mosquitto.key
certfile /path/mosquitto.crt
After starting mosquitto (I did this in the console using mosquitto -c ./mosquitto.conf) I then ran:
mosquitto_sub -h 127.0.0.1 -p 8883 --cafile ./ca.crt -t sensors/drone01/altitude -d
This successfully connected:
Client null sending CONNECT
Client null received CONNACK (0)
Client null sending SUBSCRIBE (Mid: 1, Topic: sensors/drone01/altitude, QoS: 0, Options: 0x00)
Client null received SUBACK
Subscribed (mid: 1): 0
This does not use client certificates for authentication but it does check that the server name matches the CN in the certificate (try changing 127.0.0.1 to localhost). If your cert does not have the correct CN you would need the --insecure option).
Now that TLS is working lets add the requirement for the client certificate. Technically I could use the same certificate as above but that could be confusing so I'll generate a new one (in production I would use a different CA for this):
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650 -sha256
Now we update the mosquitto.conf:
log_type all
listener 8883
keyfile /path/mosquitto.key
certfile /path/mosquitto.crt
# We want to require a client certificate
require_certificate true
# This CA is used to verify the client certificate (it need not be the one used for the above mosquitto.crt)
cafile /path/ca.crt
# As we are passing a certificate we can choose to use the certificate CN as out username (removing need for allow_anonymous)
use_identity_as_username true
If you try connecting using the mosquitto_sub parameters used above it should now fail but the following works (or did when I tested it):
mosquitto_sub -h 127.0.0.1 -p 8883 --cafile ./ca.crt --cert ./client.crt --key ./client.key -t sensors/drone01/altitude -d

IBM watson internet of things platform: Connecting using mosquitto client

I create my device in Watson IoT, I see it connected and it send some events (I see it in watson iot dashboard)
I define it by the following
Device ID 1002
Device Type semaforo
So I create my app with the following info
key a-MyOrg-tecfj072yx
description base
AccessControl permissions standard application
key: a-MyOrg-tecfj072yx
token: ATokenPsw
I try to connect to the device event using mosquitto code
mosquitto_sub -h MyOrg.messaging.internetofthings.ibmcloud.com -p 8883 -i a:MyOrg:myapp -u a-MyOrg-tecfj072yx -P ATokenPsw -t iot-2/type/+/id/+/cmd/+/fmt/+
and nothing append!!! no error displayed, no event retrieved !!!
The mosquitto_sub remain as is
Why the routine in not correctly subscribed to my device event ?

To use port 8883 you need to make a TLS connection. mosquitto_sub requires either --cafile or --capath to be present on the command line to enable a TLS connection.
extracts from the man page
To enable TLS connections when using x509 certificates, one of either --cafile or --capath must be provided as an option.
--cafile
Define the path to a file containing PEM encoded CA certificates that
are trusted. Used to enable SSL communication. See also --capath
--capath
Define the path to a directory containing PEM encoded CA certificates
that are trusted. Used to enable SSL communication. For --capath to
work correctly, the certificate files must have ".crt" as the file
ending and you must run "openssl rehash " each time
you add/remove a certificate.

Thanks.
Your info help me to resolve...but the trip was not so easy
Here is all the step that resolve the connection
1-Creating the root CA Cert using your correct info (Country,State,City and so on)
openssl genrsa -aes256 -passout pass:password123 -out rootCA_key.pem 2048
openssl req -new -sha256 -x509 -days 3560 -subj "/C=IT/ST=Itali/L=Milano/O=MyOrg/OU=MyOrg Corporate/CN=MyOrg Root CA" -extensions v3_ca -set_serial 1 -passin pass:password123 -key rootCA_key.pem -out rootCA_certificate.pem -config ext.cfg
2-Uploading the root CA Certificate to the IoT Platform
You need to load the root CA certificate into the IoT platform using the console. In the settings section goto to CA Certificates in the Security section. Select to Add certificate then select the rootCA_certificate.pem file you just generated to upload to the platform, then press Save
3-Generates the key and certificate for the MQTT server using your correct info (Country,State,City and so on) and the CN MUST to be the same of your IotServer (MyOrg.messaging.....)
openssl genrsa -aes256 -passout pass:password123 -out mqttServer_key.pem 2048
openssl req -new -sha256 -subj "/C=IT/ST=Itali/L=Milano/O=MyOrg/OU=MyOrg Corporate/CN=MyOrg.messaging.internetofthings.ibmcloud.com" -passin pass:password123 -key mqttServer_key.pem -out mqttServer_crt.csr
4-Add the server certificate to the IoT Platform
Into the IoT platform in the settings section of the console in the Messaging Server Certificates section under Security. Select to Add Certificate then upload the certificate (mqttServer_crt.pem) and private key (mqttServer_key.pem). You need to also provide the password (password123).
5-Test the server certificate by using openssl:
openssl s_client -CAfile mqttServer_crt.pem -showcerts -state -servername MyOrg.messaging.internetofthings.ibmcloud.com -connect MyOrg.messaging.internetofthings.ibmcloud.com:8883
6-To download the certificate in a PEM format, that can be easily imported to a truststore and put ii into MyOrg.messaging.internetofthings.ibmcloud.com.pem
echo | openssl s_client -connect MyOrg.messaging.internetofthings.ibmcloud.com:8883 -showcerts 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > MyOrg.messaging.internetofthings.ibmcloud.com.pem
7-Now you can use into
mosquitto_sub -h MyOrg.messaging.internetofthings.ibmcloud.com -p 8883 -i a:MyOrg:myapp -u MyOrgAppKey -P MyOrgToken -t iot-2/type/+/id/+/evt/+/fmt/+ -d --cafile MyOrg.messaging.internetofthings.ibmcloud.com.pem
To complte the info here is some tutorial that can help me
developer.ibm.com
ibm.com support
github including srvext.cfg,ext.cfg files

using ssl_verify_client on, I receive "No Required SSL certificate was sent"

Summary
I am running an nginx docker container, a self-signed cert, and I am testing connectivity via the command line curl.
As long as I do not use ssl_verify_client, I am able to connect to the server without issue. But when using it, I receive
400 No required SSL certificate was sent
There are a lot of variables, and I must be missing something, so I will show the steps.
Steps
Certificate creation (via openssl)
cert_config.txt:
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=ThisState
L=MyCity
O=MyOrganization
OU=MyOU
emailAddress=emailaddess#domain.com
CN=my-srv-01
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = my-srv-01
generation of the certs:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt -extensions req_ext -config cert_config.txt
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -extensions req_ext -config cert_config.txt
openssl x509 -req -days 365 -sha256 -in client.csr -CA nginx-selfsigned.crt -CAkey nginx-selfsigned.key -set_serial 2 -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Nginx configuration
server {
listen 443 ssl;
server_name my-srv-01;
root html;
ssl_certificate_key /etc/nginx/conf.d/nginx-selfsigned.key;
ssl_certificate /etc/nginx/conf.d/nginx-selfsigned.crt;
ssl_client_certificate /etc/nginx/conf.d/client.crt;
ssl_verify_client on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
Testing with curl:
curl -k -v -key /etc/nginx/conf.d/nginx-selfsigned.key -cacert /etc/nginx/conf.d/nginx-selfsigned.crt -cert /etc/nginx/conf.d/client.crt https://my-srv-01
yields (amongst the html and connection parameters):
400 No required SSL certificate was sent
But if I remove the ssl_verify_client option, curl displays the proper webpage.
I'm obviously missing something, any help is appreciated!

Installing SSL cert in Docker Swarm

I am using docker stack to deploy one service in multiple digital ocean droplets (replica > 1), one container per droplet. This is my app backend service.
I want to have a SSL cert & private key installed (and hopefully automatically renewed) so I can use TLS connection, with SSL termination setting, so data transfer from swarm LB to containers is unencrypted using port 80. I also use docker-machine cmd to setup my digital ocean ubuntu v16.04 droplet.
What is the best way of doing this?
I tried the following, and two issues arised:
I am first generating the cert and private key with let's encrypt somewhere else on a server with nginx installed (messing with my DNS also). After the cert/key generation, I then copy and install them back with docker swarm ca --rotate. But feel this approach is wrong.
With 1. set, I tried curl the backend service. The port 80 is fine, but port 443 seems to be talking http protocol, and I see the following:
$ curl -vvv https://myurl.com:443/v1/check
* Trying my.ip.address...
* Connected to myurl.com (my.ip.address) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 593 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: An unexpected TLS packet was received.
* Closing connection 0
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.
$ curl -vvv http://myurl.com:443/v1/check
* Trying my.ip.address...
* Connected to myurl.com (my.ip.address) port 443 (#0)
> GET /v1/check HTTP/1.1
> Host: myurl.com:443
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sun, 09 Sep 2018 11:06:39 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding, Origin
< ETag: W/"843adc298b0b2ef417eabf2f82670fc9"
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: b201d205-4c63-4318-b965-cebabc056b29
< X-Runtime: 0.078911
< X-Rack-Cache: pass
<
* Connection #0 to host myurl.com left intact
{"status":"ok","container_id":"8bd9981213e7"}
Thank you for shedding light on this subject!
I have also asked the question here:
https://forums.docker.com/t/installing-ssl-cert-in-docker-swarm/58073

You can generate certificates manually using the OpenSSL tool and configure Docker daemon to use these certificates.
Generate Server Certificates
Generate CA private and public keys:
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -out ca.pem
Create a server key and certificate signing request (CSR):
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=my.company.com" -sha256 -new -key server-key.pem -out server.csr
Sign the public key with CA:
echo subjectAltName = DNS:my.company.com,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
Generate the key:
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Generate Client Certificates
Create a client key and certificate signing request:
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Create an extensions config file:
echo extendedKeyUsage = clientAuth >> extfile.cnf
Sign the private key:
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ../server/ca.pem -CAkey ../server/ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Export cert.pem into PFX format to be added into Trusted Root Certification Authorities
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx
Configure Docker daemon with /etc/docker/daemon.json
{
"debug": false,
"tls": true,
"tlsverify": true,
"tlscacert": "/etc/docker/certificates/server/ca.pem",
"tlscert": "/etc/docker/certificates/server/server-cert.pem",
"tlskey": "/etc/docker/certificates/server/server-key.pem",
"hosts": ["tcp://0.0.0.0:2376", "unix:///var/run/docker.sock"]
}
Start Docker Service
systemctl start docker
Check out this article Building Jenkins Pipelines – Part 1. Setting Up Docker Swarm by Scalified.
It includes a step-by-step guide on how to setup Docker Swarm and generate server and client self-signed certificates. I hope it will help to solve your issue.

TLS error occured while trying to connect MQTT client over Secure TLS

Actually, I wanted to implement MQTT SECURE Client over TLS using ESP8266 using Arduino IDE and wanted to check if first working on CMD line or not. But it seems it is NOT WORKING on CMD line itself.
PLEASE LET ME KNOW IF IT IS A BUG or IF ANY CONFIGURATION MISSING. I NEED TO FIX IT AS SOON AS POSSIBLE.
I followed https://mosquitto.org/man/mosquitto-tls-7.html webpage
Generate a certificate authority certificate and key.
openssl req -new -x509 -days 1095 -extensions v3_ca -keyout ca.key -out ca.crt
Generate a client key.
openssl genrsa -des3 -out client.key 2048
Generate a certificate signing request to send to the CA.
openssl req -out client.csr -key client.key -new
Send the CSR to the CA, or sign it with your CA key:
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 1095
//local.conf file
bind_address 127.0.0.1
port 8883
tls_version tlsv1
cafile C:\OpenSSL-Win64\bin\ca.crt
certfile C:\OpenSSL-Win64\bin\client.crt
keyfile C:\OpenSSL-Win64\bin\client.key
require_certificate true
// One CMD window
mosquitto_sub -h 127.0.0.1 -p 8883 -q 1 -t sensor/temp --cafile C:/OpenSSL-Win64/bin/ca.crt
//Second CMD window
mosquitto -c local.conf -v
I am getting following error:
Error: A TLS error occurred &
C:\Program Files (x86)\mosquitto>mosquitto -c mosquitto_m2mqtt.conf -v
1486436916: mosquitto version 1.4.10 (build date 24/08/2016 21:03:24.73) starting
1486436916: Config loaded from mosquitto_m2mqtt.conf.
1486436916: Opening ipv6 listen socket on port 8883.
1486436916: Opening ipv4 listen socket on port 8883.
Enter PEM pass phrase:
1486436943: New connection from 127.0.0.1 on port 8883.
1486436943: OpenSSL Error: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
1486436943: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1486436943: Socket error on client <unknown>, disconnecting.

The require_certificate true flags means the broker will reject clients the don't supply their own certificate as identify themselves.
Remove this option and your client should connect. If you want to do mutual authentication then you will have to generate a client certificate as well and configure the client to send it along with the connection