Mosquitto on EC2 with TLS

2
votes

Problem

I want to setup my MQTT broker on an AWS EC2 instance and connect to it with TLS.

I have the instance running and I can connect (pub/sub) to Mosquitto from my local machine successfully with vanilla unencrypted MQTT. When using TSL, I get the error tlsv1 alert unknown ca.

After many hours of reading and trying different tutorials and examples, I still can't figure this out. Here's what I did and in my (limited) understanding of certificates and encryption should work:

What I tried

Let's say my EC2 instance is available at host ec2-x.compute-1.amazonaws.com and IP 54.1.1.1. My local network's IP is 192.77.77.77.

SSH into EC2 and generate certificates using OwnTracks's generate-CA.sh in a directory ~/iot. I generate the certs issuuing

HOSTLIST="ec2-x.compute-1.amazonaws.com" IPLIST="54.1.1.1" bash ./generate-CA.sh ec2-x.compute-1.amazonaws.com

Certificate generation results in a bunch of files, namely

ca.crt ca.key ca.srl ec2-x.compute-1.amazonaws.com.crt ec2-x.compute-1.amazonaws.com.csr ec2-x.compute-1.amazonaws.com.key

Now I'm ready to configure my broker with mqtt.conf:

# mosquitto.conf
listener 8883
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
cafile ./ca.crt
certfile ./ec2-x.compute-1.amazonaws.com.crt
keyfile ./ec2-x.compute-1.amazonaws.com.key

Time to start the broker with mosquitto -c mqtt.conf.

In order to sub to the broker, I copy the content of ca.crt to my laptop and run mosquitto_sub -h ec2-x.compute-1.amazonaws.com -p 8883 --cafile ca.crt -t +.

Resulting error

What I get on the subscriber side is 

Error: A TLS error occurred.

The server does realize there is a connection attempt happening but reacts with 

1475320985: New connection from 192.77.77.77 on port 8883.
1475320986: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1475320986: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1475320986: Socket error on client , disconnecting.

I've tried following guides step by step like this very good one or this one but to no avail.

1
sslamazon-ec2mqtt

1 Answers

3
votes

While I was writing this down, I realized that in my last attempt (which followed all the steps lined out above), I forgot to copy the ca.crt file to the client before trying to subscribe it to the broker.

With the wrong ca.crt file installed on the client (a different one from a previous attempt), the above unknown ca error makes a lot of sense. After copying the file to the client, it successfully connected with TLS to the broker on EC2.

I figured I'd still post the question as it took me some hours to figure all the details in all the steps out, and it might come in handy for others running into similar problems.