set up tls for vernemq deployed on k8s

[Yang Song]

Hi, I was wondering if anyone could help me figure out why I'm not able to set up tls when vernemq is deployed to k8s. I have tried 3 different ways to generate k8s secret and mount to my container and verified that cert files are being passed in properly and the pods starts OK. 

However, when I use mosquitto_pub to test, it fails with protocl error as below. Any suggestion how I should go about figuring out what's wrong? 

One error message I'm getting when starting the pod is listed here. Is this the cause of my 8883 port not working? Thanks!

 "[error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,false},{tls_version,'tlsv1.2'},{use_identity_as_username,false},{allowed_protocol_versions,[5]},{allow_anonymous_override,false}] due to {already_started,<0.458.0>}"

mosquitto_pub -h <hostIP> -t test -m ‘test’ --cafile ca.crt -i testClient -d Client testClient sending CONNECT 

Error: Protocol error

I tried access the cert using openssl and got back and error. 

openssl s_client -servername <hostIP> -connect hostIP:8883 2>/dev/null | openssl x509 -noout -issuer

unable to load certificate

8774575360:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/pem/pem_lib.c:694:Expecting: TRUSTED CERTIFICATE

I tried using " openssl s_client -connect :8883 -key tls.key.pem -cert tls.cert.pem", got back the info below.

CONNECTED(00000003) 

write:errno=54 

--- no peer certificate available 

--- No client certificate CA names sent

 --- SSL handshake has read 0 bytes and written 287 bytes 

--- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1670975815 Timeout : 7200 (sec) Verify return code: 0 (ok)

[Siva Balusu]

Hi I have the same issue, were you able to figure out the root cause?