Adding TLS certs client connections using Swarm tool

Hi Dasha,
I have been using the nonsecure mode to connect to the load balancer using TLS
Using the nonsecure TLS mode I’m able to connect to the LB from my local to make client connections but not from VM , Should we try to add the Certs for the client connection authentication ?
If so, does the the securityProvider extension suffices this need ?
I have used the hivemq-swarm-hello-world-extension using TLS keystore & truststore, should the tag to be used when using Certs ?
the security extension is reading the certs but not making any connections from my local, could you please share an example or any recommendation.

Thanks in advance!

Hi happy,

Thanks for contacting us.

  • Is the load balancer hostname the same from the point of view of the local machine and of the VM?
  • Is that a self-signed certificate you are using?
  • Did you configure the file /etc/hosts file in the VM?
  • What is your error output?

Get more SSL debug info:

OpenSSL command line program

The command line utility openssl includes a wide variety of tools that ease working with SSL. For the purpose of obtaining meaningful insight into what is happening during the connection with HiveMQ s_client is of special interest to us. It is a minimum SSL client implementation and ideal to examine this step of communication between an MQTT client and broker. Note that openssl does not contain functionality beyond this, so MQTT features cannot be tested with it as is.

You will need to provide all elements (CA, key, cert) required via command line options. To enable verbose output, add the -debug option:

1openssl s_client -connect <hostname>:8883 -CAfile ca.cert.pem -key client1.key.pem -cert client1.cert.pem -debug

Hostname and port will need to match your node’s configuration.

Dasha from HiveMQ

Here in the swarm docs under commands it mentions the possibility of using TLS as part of the client connection in addition to or instead of username/password. For example, can we link to a .pem or other type of file in the connect tag?

HiveMQ Swarm Commands :: HiveMQ Documentation

Hello Danial,

To enable the use of TLS key stores and trust stores for client authentication you need to implement a security provider in a form of HiveMQ Swarm Extension. Security provider has access to the connect command attributes. For example, a directory where the certificates are to be looked for, could be passed as additional attribute of the connect tag. For example, you can put the .pem certificates to .jks key- and trust-store.

I hope this helps. Please let us know when you have further questions

Kind regards,
Dasha from HiveMQ Team