0

I am trying to automate the creation of certificates, using the steps from a StackOverflow answer here.
These are the commands I'm trying:

  1. openssl genrsa -des3 -out ca.key 2048
  2. openssl req -new -key ca.key -out ca-cert-request.csr -sha256
  3. openssl x509 -req -in ca-cert-request.csr -signkey ca.key -out ca-root-cert.crt -days 365 -sha256
  4. openssl genrsa -out server.key 2048
  5. openssl req -new -key server.key -out server-cert-request.csr -sha256
  6. openssl x509 -req -in server-cert-request.csr -CA ca-root-cert.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

In step 2, I am leaving the Common Name blank. In step 5 I have tried localhost and the actual hostname for the Common Name.

When I run mosquitto_pub -h localhost -t mqttsTest42 -p 8883 -m testMessage --cafile "C:\Certificates\ca-root-cert.crt" --cert "C:\Certificates\server.crt" --key "C:\Certificates\server.key" it outputs this:

Connection error: Connection Refused: not authorised.
Error: The connection was refused.

If I run Mosquitto manually, it gives this:

C:\Program Files\mosquitto>mosquitto -c mosquitto.conf -v
1669685112: mosquitto version 2.0.14 starting
1669685112: Config loaded from mosquitto.conf.
1669685112: Opening ipv6 listen socket on port 8883.
1669685112: Opening ipv4 listen socket on port 8883.
1669685112: mosquitto version 2.0.14 running
1669685121: New connection from ::1:49375 on port 8883.
1669685121: Sending CONNACK to auto-7484C261-71E1-F653-3807-74471901380A (0, 5)
1669685121: Client auto-7484C261-71E1-F653-3807-74471901380A disconnected, not authorised.

I had this working with Mosquitto and another broker at one point. In my effort to automate this, I have changed too many things, and now cannot even get the original six steps above to work for me anymore.

I am currently using mosquitto version 2.0.14 and OpenSSL version 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022). I have tried one other version of Mosquitto, and one other version of OpenSSL.

The batch file I created is here.
My openssl.cnf is here.

My mosquitto.conf contains these lines:

listener 8883
certfile C:\Certificates\server.crt
keyfile C:\Certificates\server.key
cafile C:\Certificates\ca-root-cert.crt

What should I try next?

Adam Howell
  • 103

2 Answers2

1

I suspect this has nothing to do with the OpenSSL/Certificate side of things. If this were a problem the error message would say something about TLS error or handshake failed or something like that -- I don't remember what the error message I got when it happened to me said.

The error messages you're getting however suggest TLS happened fine and the CONNACK is coming from mosquitto at the application level.

I would check your mosquitto.conf file; I suspect there is some permission settings or ACL in there that's restricting publish access to the mqttsTest42 topic which is why it kicks the client off for trying to publish to it.

A. Trevelyan
  • 166
1

I had a similar issue, and although slightly different if may help others as it took me a long time and a lot of searching to find it.

Changing the certificate/key permissions fixed the issue for me. E.g.

sudo chmod 744 raspberrypi.crt

sudo chmod 644 raspberrypi.key

As per this forum:- https://github.com/owntracks/tools/issues/6

Markus
  • 111