How to generate the pem files for SSL configuration

[Merlin Couch]

Hello to all.

This is not a Verne question, but I'm stuck in Verne configuration as I don't know how to generate the three files:

• cacerts.pem
• cert.pem
• key.pem

any pointer to some simple documentation or, an example, or, even better both,  would be highly welcome

Thanks in advance

Merlin

[André Fatton]

Hi Merlin,

I can't directly help with setting up TLS certs, maybe somebody on the list here has a good reference.

The RabbitMQ guide on SSL might be useful: https://www.rabbitmq.com/ssl.html

(obviously, Verne configuration is not working in the same manner, but explanation and generation for the 3 files should be pretty much the same).

Best,

André

[Merlin Couch]

Hi André,

Thanks very much for the link. The generation of the files is indeed quite straightforward, but at the end of the day it doesn't work. Here is a short summary of what I did and if somebody knows what is wrong in there or how to make it right, i'm greatly interested

The generation of the pem files is straightforward:

• I got tls-gen from  https://github.com/michaelklishin/tls-gen
• then generated the pem files with the basic profile
• then took the files ca_certificate.pem, server_certificate.pem, server_key.pem and put them in ./etc/ssl
• then I restarted vernemq with the new configuration set to ssl
  
• and, eventually I checked with openssl s_client -connect localhost:8883 and got no error
  

All this seemed promising, yet, it doesn't work...

In my configuration, I have

• a vernemq broker running in a Docker container listening on port 8883 with previous pem files. I also changed the log level to debug, but actually get only this message: 06:01:36.544 [debug] 0ms mailbox traversal, schedule next lazy broadcast in 10000ms, the min interval is 10000ms. I would have expected a bit more than that at debug level: connection attempts, message reception and forwarding, etc, but that's not the topic
  
• a publisher written in Elixir which uses "tortoise v0.9" as the MQTT client lib
• the subscriber is also meant to be an Elixir node but for the moment it's a mosquitto fake subscriber just printing whet it receives. it is started as
  • mosquitto_sub -d -u user1 -P password1 -p 8883 -t 'topic/#' -F "%I : %t : %p" -i client_1
    
• For testing I also have a mosquitto publisher:
  • mosquitto_pub   -u user1 -P password1   -h localhost -p 8883   -t 'topic/help'   -m "message in a bottle"
    
• all that stuff run on the same machine

This chain works fine without SSL configuration (on on port 1883).

When I configure SSL:

• verneMQ doesn't report any information regarding SSL in the logs (loglevel setup to debug). As it does if I add a character to a file or if the files are missing, I suppose he's happy with the SSL config
  

• the mosquitto subscriber connects (or attempts to connect) and produces the following message
  • Client client_1 sending CONNECT
    
  • and after a while : Error: MOSQ_OPT_SSL_CTX_WITH_DEFAULTS used without specifying cafile, capath or psk.
    
  • After some googling, I found that this is related to missing CA file, so I tried:  mosquitto_sub -d -u user1 -P password1 -p 8883 -t 'topic/#' -F "%I : %t : %p" --cafile ca_certificate.pem  -i client_1  but then I get the following message every minute or so
    • Client client_1 sending CONNECT

• If I try to publish a message with mosquitto_pub
  
  • mosquitto_pub -d -u user1 -P password1 -h localhost -p 8883 -t 'topic/subt' -m "message in a bottle"  -i client_3
  • I get a Client client_3 sending CONNECT message and after a while mosquitto_pub exists with Error: Unknown error.
    
  • This happens whether I provide the --cafile option or not.
    

• Finally, if I use my Elixir publisher with  Tortoise.publish("mqtt_cnx", "topic/subt", "Bonjour ô monde"), it gets just stuck for ever
  

Regards

Merlin