Hi, I was wondering if anyone could help me figure out why I'm not able to set up tls when vernemq is deployed to k8s. I have tried 3 different ways to generate k8s secret and mount to my container and verified that cert files are being passed in properly and the pods starts OK.
However, when I use mosquitto_pub to test, it fails with protocl error as below. Any suggestion how I should go about figuring out what's wrong?
One error message I'm getting when starting the pod is listed here. Is this the cause of my 8883 port not working? Thanks!
"[error] can't reconfigure mqtts listener({127,0,0,1}, 1883) with Options [{max_connections,10000},{nr_of_acceptors,10},{mountpoint,[]},{cafile,"/etc/ssl/vernemq/ca.crt"},{depth,1},{certfile,"/etc/ssl/vernemq/tls.crt"},{eccs,[secp521r1,brainpoolP512r1,brainpoolP384r1,secp384r1,brainpoolP256r1,secp256k1,secp256r1,secp224k1,secp224r1,secp192k1,secp192r1,secp160k1,secp160r1,secp160r2]},{keyfile,"/etc/ssl/vernemq/tls.key"},{require_certificate,false},{tls_version,'tlsv1.2'},{use_identity_as_username,false},{allowed_protocol_versions,[5]},{allow_anonymous_override,false}] due to {already_started,<0.458.0>}"
mosquitto_pub -h <hostIP> -t test -m ‘test’ --cafile ca.crt -i testClient -d
Client testClient sending CONNECT
Error: Protocol error
I tried access the cert using openssl and got back and error.
openssl s_client -servername <hostIP> -connect hostIP:8883 2>/dev/null | openssl x509 -noout -issuer
unable to load certificate
8774575360:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/pem/pem_lib.c:694:Expecting: TRUSTED CERTIFICATE
I tried using " openssl s_client -connect :8883 -key tls.key.pem -cert tls.cert.pem", got back the info below.
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 287 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1670975815
Timeout : 7200 (sec)
Verify return code: 0 (ok)