Hello,
I am trying to use certificates to connect the gateway to my MQTT broker.
Here is my setup:
MQTT broker:
- Mosquitto 2.0.15 as a docker in a VPS
- mosquitto.conf:
per_listener_settings true
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
listener 1883
## Authentication ##
allow_anonymous false
password_file /mosquitto/data/password.txt
listener 8883
cafile /mosquitto/config/certs/ca.crt
certfile /mosquitto/config/certs/broker.crt
keyfile /mosquitto/config/certs/broker.key
require_certificate true
use_identity_as_username true
tls_version tlsv1.2
Gateway:
**esp32dev-multi_receiver with the configurations: **
- prod_env.ini:
[env:esp32dev-multi_receiver]
platform = ${com.esp32_platform}
board = esp32dev
board_build.partitions = min_spiffs.csv
lib_deps =
${com-esp.lib_deps}
${libraries.rc-switch}
${libraries.smartrc-cc1101-driver-lib}
${libraries.rtl_433_ESP}
${libraries.esppilight}
${libraries.newremoteswitch}
${libraries.wifimanager32}
build_flags =
${com-esp.build_flags}
'-DZgatewayRF="RF"'
'-DZgatewayRF2="RF2"'
'-DZgatewayRTL_433="RTL_433"'
'-DZgatewayPilight="Pilight"'
'-DZradioCC1101="CC1101"'
'-DGateway_Name="OpenMQTTGateway_multi_receiver"'
'-DvalueAsASubject=true' ; mqtt topic includes model and device (rtl_433) or protocol and id ( RF and PiLight )
; '-DDEFAULT_RECEIVER=1' ; Default receiver to enable on startup
'-DESPWifiManualSetup="true"'
'-Dwifi_ssid="redacted"'
'-Dwifi_password="redacted"'
'-DMQTT_USER="redacted"'
'-DMQTT_PASS="redacted"'
'-DMQTT_SERVER="redacted"'
'-DMQTT_PORT="8883"'
'-DMQTT_SECURE_SELF_SIGNED=1'
Certificates configured on āUser_config.hā:
- CA certificated copied under:
const char* ss_server_cert PROGMEM = R"EOF("
-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
")EOF";
- client certificate:
const char* ss_client_cert PROGMEM = R"EOF("
-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
")EOF";
const char* ss_client_key PROGMEM = R"EOF("
-----BEGIN RSA PRIVATE KEY-----
redacted
-----END RSA PRIVATE KEY-----
")EOF";
Using the same certificates, I can connect without issues to the broker using MQTT.fx, but the gateway cannot.
Here are the errors I get:
- on terminal:
W: MQTT connection...
[E][WiFiClient.cpp:439] read(): fail on fd 55, errno: 104, "Connection reset by peer"
W: failure_number_mqtt: 1
W: failed, rc=-1
- on broker:
1663400152: Client OpenMQTTGateway_multi_receiver has exceeded timeout, disconnecting.
1663400165: New connection from redacted:62689 on port 8883.
1663400165: OpenSSL Error[0]: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
1663400165: Client <unknown> disconnected: Protocol error.
1663400187: New connection from redacted:62690 on port 8883.
1663400187: OpenSSL Error[0]: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
1663400187: Client <unknown> disconnected: Protocol error.
1663400196: New connection from redacted:50931 on port 8883.
1663400196: OpenSSL Error[0]: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
1663400196: Client <unknown> disconnected: Protocol error.
1663400219: New connection from redacted:50932 on port 8883.
1663400219: OpenSSL Error[0]: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
1663400219: Client <unknown> disconnected: Protocol error.
...
I have the feeling I am missing something. I tried with different tls_version
but no positive results. BTW, the error is the same ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
if I comment out ātls_versionā, which make me thinking is something on the certificates inside gateway.
Also, CA is created with correct FQDN (my DDNS address).
Of course, if I am using with user/pass on port 1883 is working fine.
Please tell me what I am doing wrong.
Thank you!