Skip to content

Instantly share code, notes, and snippets.

@gene1wood

gene1wood/owntracks-mosquitto-lets-encrypt-certificates.md

Last active November 28, 2024 00:07
Show Gist options
  • Save gene1wood/49530bbb4a75efbc024e6b20eca2a761 to your computer and use it in GitHub Desktop.
Save gene1wood/49530bbb4a75efbc024e6b20eca2a761 to your computer and use it in GitHub Desktop.
Download ZIP
Fix for mosquitto error tlsv1 alert unknown ca
Raw
owntracks-mosquitto-lets-encrypt-certificates.md

Using Let's Encrypt certificates with mosquitto to enable TLS

I had been using the cert.pem file that Let's Encrypt produces. This file contains only the certificate.

This was configured in the mosquitto config with the line

certfile /mosquitto/config/ssl/mosquitto.crt

which pointed to a copy of the cert.pem file.

Doing so caused these errors in the mosquitto server

1732750597: Received PINGREQ from ot-recorder-6b017c630b8c-7
1732750597: Sending PINGRESP to ot-recorder-6b017c630b8c-7
1732750598: New connection from 192.168.0.35:44442 on port 8883.
1732750598: OpenSSL Error[0]: error:0A000418:SSL routines::tlsv1 alert unknown ca
1732750598: Client <unknown> disconnected: Protocol error.

And this error on the client

$ mosquitto_sub -h owntracks.kixy.win -p 8883 -v -t 'owntracks/#'
Error: A TLS error occurred.

The fix was to use the fullchain.pem file from Let's Encrypt instead which includes the intermediate certificate as well.

So instead of copying cert.pem to /mosquitto/config/ssl/mosquitto.crt I copied fullchain.pem to /mosquitto/config/ssl/mosquitto.crt and it started working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment