在SSL上运行的mosquitto-clients和broker

时间:2016-02-29 01:29:18

标签: ssl mqtt mosquitto

我设法使用Let使用加密证书来设置代理。

我已经尝试过测试连接到wss://broker:9002/mqtt的websockets客户端,它正在运行。我也尝试使用mqtt.js命令行界面成功订阅代理mqtts://broker:8883/mqtt上的主题。

但是,我无法让mosquitto_submosquitto_pub工作。 我试过了,

$ mosquitto_sub -h www.my-host.com.ar -p 8883 -t hello -d --cafile fullchain.pem
Client mosqsub/21069-atlantis sending CONNECT
Error: A TLS error occurred.

其中fullchain.pem与服务器上的ca证书相同。

mosquitto.log的经纪人表示,

1456709201: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1456709201: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1456709201: Socket error on client <unknown>, disconnecting.
1456709206: New connection from <my-ip> on port 8883.

可能会发生什么?我没有为mqtt.js lib ...

提供任何证书

这是我的经纪人conf(分成两个文件),

#################################
# /etc/mosquitto/mosquitto.conf #
#################################
pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

listener 1883

listener 8883
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem

include_dir /etc/mosquitto/conf.d

#############################################
# /etc/mosquitto/conf.d/websockets_ssl.conf #
#############################################
listener 9002
protocol websockets
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem

1 个答案:

答案 0 :(得分:0)

尝试在mosquitto_sub和mosquitto_pub命令的末尾添加“--insecure”。这允许客户端绕过与证书主机名匹配的检查和远程主机名。我必须使用我生成的一些自签名证书来执行此操作。

以下是“ - help”对这些命令的相关注释:

--insecure : do not check that the server certificate hostname matches the remote
             hostname. Using this option means that you cannot be sure that the
             remote host is the server you wish to connect to and so is insecure.
             Do not use this option in a production environment.