Connection issue: CA certificate

vfriesen · July 19, 2023, 4:05pm

Hi, we want to switch from the Moquette to the HiveMQ and have first installed an Enterprise Edition as a trial on an AWS EC2 instance. All our devices have 3 certificates: CA Certificate, Certificate and private Key. We want to continue to use these. This is what our config looks like:


...
 <tls>
            <keystore>
                <path>/opt/hivemq/conf/hivemqtest.domain.jks</path>
                <password>******</password>
                <private-key-password>******</private-key-password>
            </keystore>
            <client-authentication-mode>REQUIRED</client-authentication-mode>
            <truststore>
                <path>/opt/hivemq/conf/hivemq-trust-store.jks</path>
                <password>******</password>
            </truststore>
        </tls>
...

We have imported our CA certificate into the server trust store. However, the connection still does not work:

 2023-07-19 15:51:40,012 - Client ID: UNKNOWN, IP: 80.69.*.* was disconnected. reason: SSL handshake failed.

Do we also need to import the certificates into TrustStore or is CA enough ?

Server TLS working well, but not the client.

Greetings

AaronTLFranz · July 19, 2023, 5:01pm

Hello @vfriesen ,

First off, welcome to the HiveMQ Community! We are always happy to see new users.

Typically, when utilizing TLS in this configuration, it’s best to have a client truststore generated from the server certificate, exported from the server keystore. This client-specific truststore will allow the client to successfully complete the TLS connection. More specific details on TLS implementation for a variety of configurations can be found on our How-Tos page, available here.

Specifically, I believe the “Generate a client JKS trust store” is the pertinent section.

Please let us know if you have any further questions, and once again welcome to the HiveMQ Community!

Best,
Aaron from the HiveMQ Team

vfriesen · July 20, 2023, 7:57am

Hello @AaronTLFranz ,
Thanks for your quick reply, we are so far. The client TrustStore is already created and also has the server certificate. TLS works. What is still not working for us is authentication. As soon as we enable client-authentication-mode, we get the error message above.
For testing, I have tried to use the certificates issued by AWS for the client to exclude that it is due to the self signed certs. With the same result. I imported the CA cert from AWS into the TrustStore of the server. without connection success

Diego · July 20, 2023, 9:19am

Hello @vfriesen

Which MQTT client tool are you using to perform this mutual TLS test? Can you please share the results by using MQTT CLI (GitHub - hivemq/mqtt-cli: MQTT CLI is a useful command line interface for connecting various MQTT clients supporting MQTT 5.0 and 3.1.1) sample command below?

mqtt sub -t topic -q 1 -h TYPE_YOUR_AWS_EC2_HOST -i tls-client --cafile /path/to/server.pem --key /path/to/mqtt-client-key.pem --cert /path/to/mqtt-client-cert.pem -d

Kind regards,
Diego from HiveMQ Team

Topic		Replies	Views
TLS Mutual authentication problem HiveMQ Community Edition	1	689	June 28, 2023
Hive Mq Cloud with certificates HiveMQ Cloud	3	8135	July 28, 2021
Can't create ssl successfully, i need help	3	506	September 9, 2023
Help regarding TLS configuration hivemq docker container HiveMQ Community Edition	1	1958	April 6, 2020
TLS certificates	20	16396	July 11, 2022

Connection issue: CA certificate

Related Topics