ShineWeLink datalogger connects but disconnects with "malformed packet" / multiple CONNECT messages

[du476x]

Hello everyone,

I got IP banned by growatt on my HA integration (not sure why but meh), I have 2 inverter setup 4 panels without shadow using a ShineWiFi-X which is already working with grott, but the other 2 panels which are shadowed some time runs on the datalogger/micro inverter detailed below, long story short, I've spent 4-5 days trying to make this work but looks like I need some help.

Device info:

Datalogger: ShineWeLink (model: RFM0EXE0TH)
Inverter: Growatt (NEO 2500M-X2 , connected via ShineWeLink)
Firmware: 7.7.1.0

Setup:

Mosquitto 2.0.18 + 2.1.2 (TLS on port 7006, RSA cert via Let's Encrypt R13)
GroBro latest (ghcr.io/robertzaage/grobro:latest)
Raspberry Pi 4, local network

What works:

TLS handshake completes successfully (TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384) after struggling for couple days.
ShineWeLink sends CONNECT, authenticates as RFM0EXE0TH
SUBSCRIBE to s/33/RFM0EXE0TH? succeeds
PINGREQs are exchanged

What fails:
On mosquitto 2.1.2:
Client RFM0EXE0TH negotiated TLSv1.2 cipher ECDHE-RSA-AES256-GCM-SHA384
Sending CONNACK to RFM0EXE0TH (0, 0)
Received SUBSCRIBE from RFM0EXE0TH
Sending SUBACK to RFM0EXE0TH
Received PINGREQ / Sending PINGRESP (x4)
Client RFM0EXE0TH disconnected: malformed packet.
On mosquitto 2.0.18:
Sending SUBACK to RFM0EXE0TH
Bad client RFM0EXE0TH sending multiple CONNECT messages.
Client RFM0EXE0TH disconnected due to protocol error.
Root cause analysis:
The ShineWeLink appears to open two simultaneous TCP connections to port 7006:

First connection: standard MQTT flow (CONNECT → SUBSCRIBE → PUBLISH telemetry)
Second connection: arrives with a CONNACK (0x20) as first packet — likely the Growatt cloud response being proxied back

The second connection causes First packet not CONNECT errors on every reconnect cycle. Additionally, after SUBACK the device sends either a malformed PUBLISH (rejected by mosquitto 2.1.2 strict validation) or a second CONNECT on the same connection (rejected by 2.0.x).
pcap evidence:
From tshark capture, the full sequence before disconnect:
Client Hello (SNI=mqtt.mydomain.com)
Server Hello + Certificate (RSA, R13 chain)
Client Key Exchange → Change Cipher Spec
CONNECT (74 bytes encrypted)
CONNACK
SUBSCRIBE s/33/RFM0EXE0TH? QoS1
SUBACK
PINGREQ x4
PUBLISH (543 bytes) → mosquitto sends FIN/TLS Alert
The PUBLISH packet triggers immediate disconnect — its content is encrypted so the exact topic/payload is unknown without TLS keys.

Is the ShineWeLink datalogger supported by GroBro? The README mentions ShineWeLink support but the protocol behavior (dual TCP connections, non-standard PUBLISH after SUBACK) makes me think it is not. Is there a specific mosquitto version or configuration known to work with this device?

Notes on TLS setup (may help others):

Let's Encrypt ECDSA certs (E8 chain) are rejected by ShineWeLink firmware — RSA cert required
The specific intermediate CA matters: R13 works, E8 does not
Full chain must include root (ISRG Root X1) explicitly

 mosquitto-tls:
    image: eclipse-mosquitto:2.0.18 #testes latest, 2.0.18 and 1.6.15)
    container_name: mosquitto-tls
    restart: unless-stopped
    ports:
      - "7006:7006"
    volumes:
      - ./certs:/mosquitto/certs
      - ./config:/mosquitto/config
      - ./data:/mosquitto/data
  
  grobro:
    image: ghcr.io/robertzaage/grobro:latest
    container_name: grobro
    restart: unless-stopped
    environment:
      # Fuente: Mosquitto interno sin TLS
      SOURCE_MQTT_HOST: mosquitto-tls #tried adding a second listener instead of the "domain" didn't work with secure as well
      SOURCE_MQTT_PORT: 1883
      SOURCE_MQTT_TLS: "false"

      # Destino: tu Mosquitto de Home Assistant
      TARGET_MQTT_HOST: 192.168.1.122
      TARGET_MQTT_PORT: 1883
      TARGET_MQTT_TLS: "false"
      TARGET_MQTT_USER: "user"
      TARGET_MQTT_PASS: "password"

      REGISTER_FILTER: "RFM0EXE0TH"
      GROWATT_CLOUD_FORWARD: "false"
      BLOCK_CONFIG_MESSAGES: "true"
      LOG_LEVEL: "DEBUG"

rp42tb:~/mosquitto$ cat config/mosquitto.conf
listener 7006
certfile /mosquitto/certs/chain-full.pem
keyfile /mosquitto/certs/privkey.pem
cafile /mosquitto/certs/root.pem
tls_version tlsv1.2

listener 1883

allow_anonymous true
persistence false
log_type all
log_dest stdout
max_packet_size 65536

[robertzaage]

Hi @du476x please try EMQX instead of Mosquitto, see #95 (comment). As far as I know Growatt isn't following standard MQTT specs here and EMQX is a bit more relaxed on spec deviations.

[robertzaage]

@Lisugu00, do you know why certain Growatt device series (such as the MIN-TL-XH) have trouble connecting to Mosquitto? Was there a change at some time to the underlying MQTT framework? I'm not super familiar with when each series was released or how modular firmware is developed at your company. 😊

[du476x]

Awesome will give it a try, and post the results/update the docker compose if it may help anyone in the future.