Error connecting to broker on 8883

[tbec]

I have set up a broker on my ubuntu home server, but cannot connect to it from a different computer (OS X), on the same LAN. In my mosquitto.conf file I have a listener on 8883, and have created a CA, cert, and key. I am able to successfully use mosquitto_sub and mosquitto_pub from localhost, but not from other computers. Here is what I've done:

Successful on localhost:

mosquitto_sub -h localhost -p 8883 -t test --cafile /etc/mosquitto/certs/ca.crt --cert ./tom.crt --key ./tom.key

and opening a new terminal and running:

mosquitto_pub -h localhost -p 8883 -t test -m "from ubuntu" --cafile /etc/mosquitto/certs/ca.crt --cert ./tom.crt --key ./tom.key

everything works. I then directly copied ca.crt, tom.crt, and tom.key to the OS X laptop and ran:

mosquitto_pub -h 192.168.1.122 -p 8883 -t test -m "from macbook" --cafile ca.crt --cert tom.crt --key tom.key

(where 192.168.1.122 is the reserved IP by the router)

and receive the error: Error: Problem setting TLS options.

I should note that I am able to connect and do not have issues when using port 1883.

Here is my mosquitto.conf file:

allow_anonymous true
password_file /etc/mosquitto/passwd

listener 1883 localhost

listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/ubuntu.crt
keyfile /etc/mosquitto/certs/ubuntu.key
tls_version tlsv1.2
require_certificate true
use_identity_as_username true

On the laptop, when I run

openssl s_client -connect 192.168.1.122:8883 -showcerts

it returns:

CONNECTED(00000003)
depth=1 CN = An MQTT broker, O = OwnTracks.org, OU = generate-CA, emailAddress = nobody@example.net
verify error:num=19:self signed certificate in certificate chain
140737168069640:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140737168069640:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/CN=ubuntu/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net
   i:/CN=An MQTT broker/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgIJAPNXygaCQv4FMA0GCSqGSIb3DQEBDQUAMGoxFzAVBgNV
BAMMDkFuIE1RVFQgYnJva2VyMRYwFAYDVQQKDA1Pd25UcmFja3Mub3JnMRQwEgYD
VQQLDAtnZW5lcmF0ZS1DQTEhMB8GCSqGSIb3DQEJARYSbm9ib2R5QGV4YW1wbGUu
bmV0MB4XDTE3MDkxMDAwMzA0OVoXDTMyMDkwNjAwMzA0OVowYjEPMA0GA1UEAwwG
dWJ1bnR1MRYwFAYDVQQKDA1Pd25UcmFja3Mub3JnMRQwEgYDVQQLDAtnZW5lcmF0
ZS1DQTEhMB8GCSqGSIb3DQEJARYSbm9ib2R5QGV4YW1wbGUubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvjm5i1yhH+ICHImfDGDIQ54B2kVV1ThY
tzzKPndv7i044SnmThCpBYtl5NrjpdaDtMQ7hdwXzdLRhC6DKc/4uzzRw/rJz7Y8
Ba/yiMx9yjT/oxnHL2fzPeFQbpjoOzxGeULc7SFiqhw4kQjxOWEC1x0LXVTS2Zbb
/ABrkDk/pmqTsmrjTxUaOZQZU4TNMgONouBilipv7UvKLcxqdz+c1GVeJY60OA7x
7+elra5ELnp5hPuYc5R+/cApQ7nAyHHhAtxQqI9KDe9JW/kaDEN65J5+hIOncFIo
9WueX87u72HIhszISe2rwloHLScRqtnXJLO+LwaIZ+CuuNZa9hnlOQIDAQABo4IB
yjCCAcYwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQD
AgXgMCEGCWCGSAGG+EIBDQQUFhJCcm9rZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FPwMkCqcoQkLgHcCWFzB2JsIIeknMIGcBgNVHSMEgZQwgZGAFEsbvm4HLVAodFJV
sXNsvRUP1AifoW6kbDBqMRcwFQYDVQQDDA5BbiBNUVRUIGJyb2tlcjEWMBQGA1UE
CgwNT3duVHJhY2tzLm9yZzEUMBIGA1UECwwLZ2VuZXJhdGUtQ0ExITAfBgkqhkiG
9w0BCQEWEm5vYm9keUBleGFtcGxlLm5ldIIJAMFPzElj+5CAMCwGA1UdEQQlMCOH
BH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdDCBhgYDVR0gBH8wfTB7
BgMrBQgwdDAcBggrBgEFBQcCARYQaHR0cDovL2xvY2FsaG9zdDBUBggrBgEFBQcC
AjBIMBAWCU93blRyYWNrczADAgEBGjRUaGlzIENBIGlzIGZvciBhIGxvY2FsIE1R
VFQgYnJva2VyIGluc3RhbGxhdGlvbiBvbmx5MA0GCSqGSIb3DQEBDQUAA4IBAQCq
ggWG9zED0JErIQLdnQLPFn3si23U0oXodddFJCY84pGk/bPeeiDv0yEFXs8xAeVU
uwTbcHi2ZzMD57byu86fsFzl8+oz90VfnwSPRnMBKwaJTWtfupG6rdwCloVVDCx3
UieLYm1u69Y8BzK44RPzVGYXHL8C3NwQseJYMrvY/0kMYW4VhCmFnQCS1mjtdJ1s
nu37VfCUQ19ya7oEiPsNB+iUzeoTZD0guLS9tvQp86bIbd8isCMtVgBCtvU4fnxl
bTW3x7eItvUkA74Q627cnQVIjuefqWcNYHRwCSoG7jS0t3ZpH6FsnzO2K4Zkft9S
914S/eQpiTWoGUwCRoMZ
-----END CERTIFICATE-----
 1 s:/CN=An MQTT broker/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net
   i:/CN=An MQTT broker/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIJAMFPzElj+5CAMA0GCSqGSIb3DQEBDQUAMGoxFzAVBgNV
BAMMDkFuIE1RVFQgYnJva2VyMRYwFAYDVQQKDA1Pd25UcmFja3Mub3JnMRQwEgYD
VQQLDAtnZW5lcmF0ZS1DQTEhMB8GCSqGSIb3DQEJARYSbm9ib2R5QGV4YW1wbGUu
bmV0MB4XDTE3MDkxMDAwMzA0OFoXDTMyMDkwNjAwMzA0OFowajEXMBUGA1UEAwwO
QW4gTVFUVCBicm9rZXIxFjAUBgNVBAoMDU93blRyYWNrcy5vcmcxFDASBgNVBAsM
C2dlbmVyYXRlLUNBMSEwHwYJKoZIhvcNAQkBFhJub2JvZHlAZXhhbXBsZS5uZXQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9fuWYVQ01kPKGyXR/Qfyy
6mihkoGvONZOZULUU/eQ95+/xtjJw5OK//YGAioVUck+ll9FXC4LXXNsmjw+dJdM
4vLuYW6XRVlayaGela4MIRzbkbHVHxKGxXKBnynN/+yKMIxQtTeqZlUEDBV/vHYW
8+PeIZ2L0ji0Ilkw8EqpdSxBJgdI1miCyR0hs5orRWCMWr/yd3J4j3KtOQfXRe3S
/X3ow+O4DRwjzeK1LGUIHGOm2Dp57js3s96tpTQEhk3+odGB2yaUBTk715Lr1CuY
I2/TReFX8MnIHZlYKxXHsCTGXvv7iFcPd7X9jmjJw0ndkK3jgM4n+VIm4ukXxIxZ
AgMBAAGjUDBOMB0GA1UdDgQWBBRLG75uBy1QKHRSVbFzbL0VD9QInzAfBgNVHSME
GDAWgBRLG75uBy1QKHRSVbFzbL0VD9QInzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBDQUAA4IBAQBAE+XjtiM3cdG+yjNyjqvp5+g7dq+uySIqZod4+o/wZbv6cP3S
Q5T1EiU7VI//rL3lXsC7Z5HN2K4o4xvsGw99BDbR8izyd3Mqrvud0SKlAQ2LBgWs
7zoUOiU6TKlPg/WSr0J/ynDQWgzSkZeNFCSqQ5mDiyEEBfDZmilP/LskK12G+/gL
RmtiEvNqSFl+NQDr7n1uk6ABGK1QQzPEEav+1rh7M9jLGef15NX7JpnyzvgQZtQG
KCBwlQDC+Dn7MXbpsqmaelr2FHkZBL2Msq/QAGgqxOSxvhb4ge3+ffcIWg0p7xcC
q0ywXqN2pR435ZrkqDFqpMiNw1fKhcMe+d+a
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ubuntu/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net
issuer=/CN=An MQTT broker/O=OwnTracks.org/OU=generate-CA/emailAddress=nobody@example.net
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2735 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 955533E30C36A82C83DB30562806C9336229D86C35C01A36BE5E87F3196EC7B2136C6769CB40D648F8215736D566ACD9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1505009894
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

I can only think the problem is simple, so didn't want to bother y'all with it, but have found no solution so far, and am at the end of my rope. So please, any help would be much appreciated! Thank you everyone.

[toast-uz]

I cannot identify your problem, but "Error: Problem setting TLS options." must be the problem in your local environment, such as illegal file-path or permission denied. You will find "Error: A TLS error occurred." when you have some negotiation problems between client and server.

[blizniukp]

I have the same issue.

I install:
mosquitto-1.4.14-install-win32.exe
Win32OpenSSL_Light-1_0_2L.exe
on Windows Server 2012 Standard 64-bit

My mosquitto.conf file:
port 10001 capath C:\easyrsa\ca.crt certfile C:\easyrsa\server.crt keyfile C:\easyrsa\server.key

Everything works fine, when I run mosquitto_sub or mosquitto_pub on the same machine.
"1505724079: New connection from ::1 on port 10001.
1505724079: New client connected from ::1 as mosqsub|40-WinSrv2012-P (c1, k60).
1505724079: Sending CONNACK to mosqsub|40-WinSrv2012-P (0, 0)
1505724079: Received SUBSCRIBE from mosqsub|40-WinSrv2012-P
1505724079: # (QoS 0)
1505724079: mosqsub|40-WinSrv2012-P 0 #
1505724079: Sending SUBACK to mosqsub|40-WinSrv2012-P"

But, if I try connect from another computer from lan (i tested Ubuntu, Windows 7, and Fedora) i have this error:
1505724181: New connection from 192.168.201.17 on port 10001. 1505724181: OpenSSL Error: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 ale rt internal error 1505724181: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl hands hake failure 1505724181: Socket error on client <unknown>, disconnecting.

I try to using different version of tls
tls_version tlsv1
tls_version tlsv1.1
and
tls_version tlsv1.2
but still nothing.

I run mosquitto with the same cert on Ubuntu, and I have no errors when I connect from all hosts.

How to resolve this issue?

[toast-uz]

Hi blizniukp,
Did you have "Error: Problem setting TLS options." as same as tbec?

[blizniukp]

No, i have "Error: A TLS error occurred.".
But symptoms are similiar: cannot connect from any host from lan, but can connect from host where runing broker.

I try openssl lib in version 1_0_2 Light and 1.1.0f Light.

[toast-uz]

Thanks.
You are right that the symptoms are similar. But the cause seems different.
Generally, the message "tlsv1 alert internal error" occurs by mismatch of ciphers between client and server, therefore the cause is mismatch of OpenSSL version. I'm not sure your situation matches this.
If you can set Wireshark to capture ClientHello and ServerHello messages, it will useful to clarify your issue. (NOTE: Decode port 10001 as TLS.)

[blizniukp]

client:

server:

[toast-uz]

Thank you for the information.

• Are these logs at the same time? Seems no problem in the client log while disconnected by the server in the server log.
• Could you decode port 10001 as SSL in the server log? You can find "Decode as .." menu if you have right click on the packet list view.

[toast-uz]

Do you have a reverse proxy between client and server? I don't understand why the pair of TCP ports are different between the client log and the server one.

[blizniukp]

"Are these logs at the same time? Seems no problem in the client log while disconnected by the server in the server log."
No, is different time. First I run on client, second on broker.

"Could you decode port 10001 as SSL in the server log? You can find "Decode as .." menu if you have right click on the packet list view."
I decode this, but I don't see change.

"Do you have a reverse proxy between client and server? I don't understand why the pair of TCP ports are different between the client log and the server one."
No, I don't have reverse proxy. Mqtt broker runs on Windows 2012 Server (Vmware).

Now, I run broker on Windows 8.1, and connect from Fedora 22.
Broker:
C:\Program Files (x86)\mosquitto>mosquitto.exe -c mosquitto_ssl.conf -v
1505806911: mosquitto version 1.4.14 (build date 11/07/2017 0:03:18.53) startin
g
1505806911: Config loaded from mosquitto_ssl.conf.
1505806911: Opening ipv6 listen socket on port 10001.
1505806911: Opening ipv4 listen socket on port 10001.
1505806921: New connection from 192.168.201.120 on port 10001.
1505806921: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 ale
rt certificate unknown
1505806921: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl hands
hake failure
1505806921: Socket error on client , disconnecting.

client:
[root@localhost crt]# mosquitto_pub -h 192.168.201.17 -p 10001 -t "t" -m "t" --cafile ca.crt --tls-version tlsv1
Error: A TLS error occurred.

Log from server:

[toast-uz]

Regarding your previous logs, the client log showed communication between TCP port 443 and 56271, while the server log showed TCP port 45793 and 10001. Although the high ports can be changed per connection, it will need something like a node changing the ports from 443 to 10001.

What is the node? Generally, SSL load-balancer or SSL reverse-proxy transfers ports from 443 to another, as the result of decoding SSL.

In addition, I cannot understand why the server log cannot be decoded as SSL. You pasted only short packets. Could you show me packets of more than 100 bytes with a hex dump? The dump will show me the protocol.

[blizniukp]

I install Windows 2012 Server on VirtualBox (on Ubuntu).
Next I don't install mosquitto and openssl, but copy package from http://www.steves-internet-guide.com/downloads/
I copy my ca.crt, server.crt and server.key and edit mosquitto.conf.

Broker runs on Windows2012 (VirtualBox), mosquitto_pub run on Ubuntu 16.04.

I check 3 configurations: tls1, tls1.1 and tls1.2

1. First test - tls1
   mosquitto.conf:
   port 10001
   cafile C:\mosquitto\certs\ca.crt
   certfile C:\mosquitto\certs\server.crt
   keyfile C:\mosquitto\certs\server.key
   tls_version tlsv1

logs from wireshark:
tls1.zip

Broker:
C:\mosquitto>mosquitto -c mosquitto.conf -v
1505842142: mosquitto version 1.4.9 (build date 2016-06-08 11:40:24+0100) starting
1505842142: Config loaded from mosquitto.conf.
1505842142: Opening ipv6 listen socket on port 10001.
1505842142: Opening ipv4 listen socket on port 10001.
1505842148: New connection from 192.168.1.48 on port 10001.
1505842148: Socket error on client , disconnecting.
1505842185: mosquitto version 1.4.9 terminating

Client:
mosquitto_pub -h 192.168.1.21 -p 10001 -t "test" -m "mmmm" --cafile ca.crt --tls-version tlsv1
Error: A TLS error occurred.

2. Secodn test - tls.1.2
   mosquitto.conf:
   port 10001
   cafile C:\mosquitto\certs\ca.crt
   certfile C:\mosquitto\certs\server.crt
   keyfile C:\mosquitto\certs\server.key
   tls_version tlsv1.2

logs from wireshark:
tls1_2.zip

Broker:
C:\mosquitto>mosquitto -c mosquitto.conf -v
1505842517: mosquitto version 1.4.9 (build date 2016-06-08 11:40:24+0100) starting
1505842517: Config loaded from mosquitto.conf.
1505842517: Opening ipv6 listen socket on port 10001.
1505842517: Opening ipv4 listen socket on port 10001.
1505842524: Client connection from 192.168.1.48 failed: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number.
1505842533: mosquitto version 1.4.9 terminating

Client:
mosquitto_pub -h 192.168.1.21 -p 10001 -t "test" -m "mmmm" --cafile ca.crt --tls-version tlsv1.2
Error: A TLS error occurred.

3. Third test - tls.1.1
   mosquitto.conf:
   port 10001
   cafile C:\mosquitto\certs\ca.crt
   certfile C:\mosquitto\certs\server.crt
   keyfile C:\mosquitto\certs\server.key
   tls_version tlsv1.1

logs from wireshark:
tls1_1.zip

Broker:
1505842891: mosquitto version 1.4.9 (build date 2016-06-08 11:40:24+0100) starting
1505842891: Config loaded from mosquitto.conf.
1505842891: Opening ipv6 listen socket on port 10001.
1505842891: Opening ipv4 listen socket on port 10001.
1505842895: New connection from 192.168.1.48 on port 10001.
1505842895: Socket error on client , disconnecting.
1505843001: mosquitto version 1.4.9 terminating

Client:
mosquitto_pub -h 192.168.1.21 -p 10001 -t "test" -m "mmmm" --cafile ca.crt --tls-version tlsv1.1
Error: A TLS error occurred.

[toast-uz]

Thank you for the detailed information.

I found the communication of port 443 is unrelated. (You should filter "tcp.port == 10001".)
I did and can decode port 10001 as SSL. Finally, I found it was disconnected by client due to (Server) Certificate Unknown.

Could you retry with --insecure option? If you can connect, no doubt that the certificate is invalid.

[blizniukp]

I try --insecure and I can connect.
I check certificate generated on Windows 2012, Ubuntu 16.01, and Fedora 22.
I generate certificate using this tutorials:
https://mosquitto.org/man/mosquitto-tls-7.html
http://www.steves-internet-guide.com/mosquitto-tls/
https://mcuoneclipse.com/2017/04/14/enable-secure-communication-with-tls-and-the-mosquitto-broker/
And I can't connect.

Tomorrow I check everything on Win 2016 Server (and generate new certificate).

[toast-uz]

Check your datetime of server, client, and actual datetime, too. If they were significantly (a few dates) unsynchronized, certificate turned invalid.

[tbec]

blizniukp, I am now able to establish a connection between client and broker from outside networks. My issue was that when creating the CA and server certificates, I was not assigning the Common Name (CN) correctly--it must match the hostname you use in the mosquitto calls. For instance, if you are using -h 192.168.1.21 then the CN must also be set to 192.168.1.21 in the CA and server certificates. I then just set the paths to the CA.crt, server.crt, and server.key in the mosquitto.conf file and it was successful. I wasn't aware of the importance of the Common Name needing a specific naming convention, so that was my fault for not reading more carefully. Let me know if this helps.

[toast-uz]

@tbec could you close this issue?

[bakyac7]

@tbec could you help me i'm trying to create a create a secure connection from my localhost to mosquitto broker and i've got a lot f problem am using ubuntu 16.04. could you send me a tutorial or anything to follow please

[BobK77]

"Error: Problem setting TLS options"

Another solution ... for a [different] specific cause ... for the error "Error: Problem setting TLS options", one specific cause was fixed like this:

-- in the mosquitto config file, the lines of config parameters with cert, key, and CA filenames contained a 'space' character after each filename, and before the end-of-line character.

-- removing the space just before the end-of-line character caused the error to no longer appear.

-- the mosquitto broker then started up with no errors.

[nitinware]

@tbec - you are a life saver, thanks.

[gabrewat]

BobK77 +1

"Error: Problem setting TLS options"

Another solution ... for a [different] specific cause ... for the error "Error: Problem setting TLS options", one specific cause was fixed like this:

-- in the mosquitto config file, the lines of config parameters with cert, key, and CA filenames contained a 'space' character after each filename, and before the end-of-line character.

-- removing the space just before the end-of-line character caused the error to no longer appear.

-- the mosquitto broker then started up with no errors.

Looked for extra spaces at end of all lines in mosquitto.conf that I had edited/added. Found one at end of "keyFile" line and removed it. Was difficult to debug the "systemctl start mosquitto" script on Centos 7 but this fixed the problem. Thanks!

[prologic]

I can't currently figure this error out:

owntracks_mosquitto.1.y674af75frvx@dm1.mydomain.com    | 1553915657: New connection from 10.0.0.193 on port 8883.
owntracks_mosquitto.1.y674af75frvx@dm1.mydomain.com    | 1553915657: OpenSSL Error: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca
owntracks_mosquitto.1.y674af75frvx@dm1.mydomain.com    | 1553915657: OpenSSL Error: error:140370E5:SSL routines:ACCEPT_SR_KEY_EXCH:ssl handshake failure
owntracks_mosquitto.1.y674af75frvx@dm1.mydomain.com    | 1553915657: Socket error on client <unknown>, disconnecting.
owntracks_mosquitto.1.y674af75frvx@dm1.mydomain.com    | 1553915660: New connection from 10.0.0.193 on port 8883.
owntracks_mosquitto.1.y674af75frvx@dm1.mydomain.com    | 1553915660: OpenSSL Error: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca
owntracks_mosquitto.1.y674af75frvx@dm1.mydomain.com    | 1553915660: OpenSSL Error: error:140370E5:SSL routines:ACCEPT_SR_KEY_EXCH:ssl handshake failure
owntracks_mosquitto.1.y674af75frvx@dm1.mydomain.com    | 1553915660: Socket error on client <unknown>, disconnecting.

I am using the following command to connect:

$ mosquitto_sub -h mqtt.mydomain.com -t owntracks/# -p 8883 --capath /etc/ssl/certs/ -u ot-recorder

Passing the --insecure option has the same error. On the client I get:

Client mosqsub|42196-Jamess-Ma sending CONNECT
OpenSSL Error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Error: A TLS error occurred.

mosquitto.conf looks like this:

listener 8883
cafile /mosquitto/config/certs/ca.crt
certfile /mosquitto/config/certs/mosquitto.crt
keyfile /mosquitto/config/certs/mosquitto.key
require_certificate false

• ca.crt is the chaim.pem from certbot
• mosquitto.crt is the cert.pem from certbot
• mosquitto.key is the privkey.pem from certbot

The certs were acquired from Let's Encrypt manually with DNS validation with:

$ certbot -d mqtt.mydomain.com --manual --preferred-challenges dns certonly

What am I doing wrong here?

[ralight]

Try using capath /etc/ssl/certs in your config instead, see if that works.