EMQ + Letsencrypt

[serenityluna]

Best regards

I can not configure EMQ with letsencrypt.
I'm using Development: emqttd-v2.0-rc.3 released on 2016/11/03

Letsencrypt gives me the following files:

cert.pem
chain.pem
fullchain.pem
privkey.pem

I have tried several ways in emq.conf:

Attempt 1:
Cacertfile = etc / certs / chain.pem
Certfile = etc / certs / cert.pem
Keyfile = etc / certs / privkey.pem

Attempt 2:
Cacertfile = etc / certs / fullchain.pem
Certfile = etc / certs / cert.pem
Keyfile = etc / certs / privkey.pem

Attempt 3:
Concatenating chain.pem + Root CA = chainca.pem
https://mosquitto.org/2015/12/using-lets-encrypt-certificates-with-mosquitto/

Cacertfile = etc / certs / chainca.pem
Certfile = etc / certs / cert.pem
Keyfile = etc / certs / privkey.pem

Attempt 4
Concatenating privkey.pem + fullchain.pem = keyfile.pem

Cacertfile = etc / certs / chain.pem
Certfile = etc / certs / cert.pem
Keyfile = etc / certs / keyfile.pem

Thanks for everything.

[turtleDeng]

Are there any error logs? Do you want to configure one-way authentication or two-way authentication?

[fallstool]

@turtleDeng
hi i encouter the same problem, how to config two-way authentication, thanks.

[turtleDeng]

Attempt 3
Concatenating chain.pem + Root CA = chainca.pem
https://mosquitto.org/2015/12/using-lets-encrypt-certificates-with-mosquitto/

## SSL Options
mqtt.listener.ssl.handshake_timeout = 15
mqtt.listener.ssl.keyfile = etc/certs/keyfile.pem
mqtt.listener.ssl.certfile = etc/certs/cert.pem
mqtt.listener.ssl.cacertfile = etc/certs/chainca.pem
mqtt.listener.ssl.verify = verify_peer
mqtt.listener.ssl.fail_if_no_peer_cert = true

[serenityluna]

2016-11-15 1:22 GMT-04:30 turtleDeng notifications@github.com:

Attempt 3
Concatenating chain.pem + Root CA = chainca.pem
https://mosquitto.org/2015/12/using-lets-encrypt-
certificates-with-mosquitto/

SSL Options

mqtt.listener.ssl.handshake_timeout = 15
mqtt.listener.ssl.keyfile = etc/certs/keyfile.pem
mqtt.listener.ssl.certfile = etc/certs/cert.pem
mqtt.listener.ssl.cacertfile = etc/certs/chainca.pem
mqtt.listener.ssl.verify = verify_peer
mqtt.listener.ssl.fail_if_no_peer_cert = true

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#765 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/ASe11_vsLvmYWsDeo6qFN96SE80ehswyks5q-Ui1gaJpZM4KwsDt
.

[serenityluna]

Friend turtleDeng, Sorry for the delay.

You are explaining to me that the correct way to configure it is:

Attempt 3
Concatenating chain.pem + Root CA = chainca.pem

SSL Options

Mqtt.listener.ssl.handshake_timeout = 15
Mqtt.listener.ssl.keyfile = etc / certs / keyfile.pem
Mqtt.listener.ssl.certfile = etc / certs / cert.pem
Mqtt.listener.ssl.cacertfile = etc / certs / chainca.pem
Mqtt.listener.ssl.verify = verify_peer
Mqtt.listener.ssl.fail_if_no_peer_cert = true

So I probed the configuration from port 8883, and it worked!

The problem is that I've always tried the websocket protocol.

Which was configured like this:

Mqtt.listener.https.handshake_timeout = 15
Mqtt.listener.https.certfile = etc / certs / cert.pem
Mqtt.listener.https.keyfile = etc / certs / keyfile.pem
Mqtt.listener.https.cacertfile = etc / certs / chainca.pem
Mqtt.listener.https.verify = verify_peer
Mqtt.listener.https.fail_if_no_peer_cert = true

And it still fails!

But this time, knowing that I have well configured certificates (Thanks for
that!)
I decide to try other configurations, and I realize that if I comment the
line, mqtt.listener.https.verify = verify_peer, works the connection
through websocket.
Leaving the connection as follows:

Mqtt.listener.https.handshake_timeout = 15
Mqtt.listener.https.certfile = etc / certs / cert.pem
Mqtt.listener.https.keyfile = etc / certs / keyfile.pem
Mqtt.listener.https.cacertfile = etc / certs / chainca.pem

Mqtt.listener.https.verify = verify_peer

Mqtt.listener.https.fail_if_no_peer_cert = true

I would like to know the reason why it is failing, is it normal ?, What do
these parameters mean? (Mqtt.listener.https.verify = verify_peer,
mqtt.listener.https.fail_if_no_peer_cert = true)

Does it have to do with what you asked me in your first response? (Do you
want to configure one-way authentication or two-way authentication?)

2016-11-15 9:49 GMT-04:30 serenity luna serenity.luna@gmail.com:

2016-11-15 1:22 GMT-04:30 turtleDeng notifications@github.com:

Attempt 3
Concatenating chain.pem + Root CA = chainca.pem
https://mosquitto.org/2015/12/using-lets-encrypt-certificate
s-with-mosquitto/

SSL Options

mqtt.listener.ssl.handshake_timeout = 15
mqtt.listener.ssl.keyfile = etc/certs/keyfile.pem
mqtt.listener.ssl.certfile = etc/certs/cert.pem
mqtt.listener.ssl.cacertfile = etc/certs/chainca.pem
mqtt.listener.ssl.verify = verify_peer
mqtt.listener.ssl.fail_if_no_peer_cert = true

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#765 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/ASe11_vsLvmYWsDeo6qFN96SE80ehswyks5q-Ui1gaJpZM4KwsDt
.

[turtleDeng]

{verify, verify_type()}
A server only does x509-path validation in mode verify_peer, as it then sends a certificate request to the client (this message is not sent if the verify option is verify_none). You can then also want to specify option fail_if_no_peer_cert.
{fail_if_no_peer_cert, boolean()}
Used together with {verify, verify_peer} by an SSL server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid). Defaults to false.

See the ssl documentation for details！

[serenityluna]

As you recommended I read the ssl documentation. And I found the following:
In mode verify_none the default behavior is to allow all x509-path
validation errors.

Please explain me:

Why can not I use verify_peer with websockets (8084), but can I use it with
tls over tcp (8883)?

2016-11-15 10:09 GMT-04:30 turtleDeng notifications@github.com:

{verify, verify_type()}
A server only does x509-path validation in mode verify_peer, as it then
sends a certificate request to the client (this message is not sent if the
verify option is verify_none). You can then also want to specify option
fail_if_no_peer_cert.
{fail_if_no_peer_cert, boolean()}
Used together with {verify, verify_peer} by an SSL server. If set to true,
the server fails if the client does not have a certificate to send, that
is, sends an empty certificate. If set to false, it fails only if the
client sends an invalid certificate (an empty certificate is considered
valid). Defaults to false.

See the ssl documentation for details！

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#765 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/ASe11_nBIfcYx5x_sVfCUhX4yUle6mMgks5q-cQtgaJpZM4KwsDt
.

[serenityluna]

Best regards.

It still does not work verify_peer on websockets with TLS (HTTPS / WSS
Listener - 8084)

I have tried downloading emqttd-ubuntu64-v2.0-rc.3-20161103.zip again and
running on clean, and I still get the same error.
Also try other certificates issued by COMODO. I did it just out of
curiosity for the checks made with openssl s_client told me that both
Let's Encrypt and COMODO certificates are well installed.

This is the error when I use (mqtt.listener.https.verify = verify_peer)

Erlang MQTT Broker 2.0 is running now

Eshell V7.3 (abort with ^G)

(emqttd@127.0.0.1)1> 05:37:02.582 [error] Error in process <0.1139.0> on
node 'emqttd@127.0.0.1' with exit value:

{{ssl_error,closed},[{esockd_connection,upgrade,1,[{file,"src/esockd_connection.erl"},{line,113}]},{mochiweb_http,init,2,[{file,"src/mochiweb_http.erl"},{line,30}]}]}

05:37:02.583 [error] Supervisor 'esockd_connection_sup - <0.1094.0>' had
child connection started with
mochiweb_http:start_link({emqttd_http,handle_request,[]}) at <0.1139.0>
exit with reason {ssl_error,closed} in esockd_connection:upgrade/1 line 113
in context connection_crashed

05:37:02.889 [error] Error in process <0.1141.0> on node 'emqttd@127.0.0.1'
with exit value:

{{ssl_error,closed},[{esockd_connection,upgrade,1,[{file,"src/esockd_connection.erl"},{line,113}]},{mochiweb_http,init,2,[{file,"src/mochiweb_http.erl"},{line,30}]}]}
05:37:02.890 [error] Supervisor 'esockd_connection_sup - <0.1094.0>' had
child connection started with
mochiweb_http:start_link({emqttd_http,handle_request,[]}) at <0.1141.0>
exit with reason {ssl_error,closed} in esockd_connection:upgrade/1 line 113
in context connection_crashed

COMODO:

HTTP (SSL) Listener

Mqtt.listener.https = 8084
Mqtt.listener.https.acceptors = 4
Mqtt.listener.https.max_clients = 64
Mqtt.listener.https.handshake_timeout = 2000

Mqtt.listener.https.keyfile = /opt/emqttd/etc/certs/private.key
Mqtt.listener.https.certfile = /opt/emqttd/etc/certs/cert.crt
Mqtt.listener.https.cacertfile = /opt/emqttd/etc/certs/ca-bundle.crt

Mqtt.listener.https.verify = verify_peer
Mqtt.listener.https.fail_if_no_peer_cert = true

Note: Same configuration in SSL Listener - 8883 works fine!

[Mojo90]

I have the same error. How to deal with that? I already tried to set Mqtt.listener.https.fail_if_no_peer_cert to false and/or Mqtt.listener.https.verify to verify_none. But neither one worked. Help appreciated!

Btw: I think concatenating is not needed as fullchain.pem already includes Root CA, isn't it?

[xerosanyam]

Please give steps on how to Generate a certificate using letsencrypt and use it sucessfully over wss.

[arihantdaga]

Same problem.. cant understand how to setup ssl for websockets using letsencrypt.
I think documentation lags the clear definition and use of different parameters in configuration..

[grutabow]

Letsencrypt generates certificate for server. That means we should use one-way TLS authentication.

Suppose we are utilizing websocket over TLS.

The emq.conf should look like below:

listener.wss.external.keyfile = etc/certs/privkey.pem
listener.wss.external.certfile = etc/certs/cert.pem
## listener.wss.external.cacertfile = etc/certs/cacert.pem
listener.wss.external.verify = verify_none
listener.wss.external.fail_if_no_peer_cert = false

And the paho python code should look like below:

import paho.mqtt.publish as publish

tls_param = {'ca_certs':"fullchain.pem"}
publish.single("test/topic", payload="abc", qos=1, retain=False, hostname="www.example.com",
           port=8084, client_id="923975342346", keepalive=60, will=None, auth=None,
           tls=tls_param, protocol=4, transport="websockets")

[arihantdaga]

Did this but still getting this error -

File "/Users/iamnostar/miniconda3/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/Users/iamnostar/miniconda3/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)

Do we not have to tell domain name anywhere in the emq.conf ? As my certificates are bound to a specific domain name, right ?

This is my code -

import paho.mqtt.publish as publish

tls_param = {'ca_certs':"fullchain.pem"}
publish.single("test/topic", payload="abc", qos=1, retain=False, hostname="mydomain.com",
           port=8084, client_id="923975342346", keepalive=60, will=None, auth=None,
           tls=tls_param, protocol=4, transport="websockets")

And do we have to keep this fullchain.pem in mobile applications ?

[grutabow]

@arihantdaga Yes, you have to keep fullchain.pem in the directory where your python script resides.

Domain name is included in server certification. So you do not specify your domain name in emq.conf.

Following command will be helpful to debug certification issue:
openssl s_client -connect mydomain.com:8084 -CAfile fullchain.pem -state

[arihantdaga]

@grutabow Thank you very much. Solved Now..
Although i had to add chain.pem as well for get it working with mqtt.js in browser. I uncommented this line as well -

listener.wss.external.cacertfile = etc/certs/chain.pem