Connection issue: CA certificate

Hi, we want to switch from the Moquette to the HiveMQ and have first installed an Enterprise Edition as a trial on an AWS EC2 instance. All our devices have 3 certificates: CA Certificate, Certificate and private Key. We want to continue to use these. This is what our config looks like:


...
 <tls>
            <keystore>
                <path>/opt/hivemq/conf/hivemqtest.domain.jks</path>
                <password>******</password>
                <private-key-password>******</private-key-password>
            </keystore>
            <client-authentication-mode>REQUIRED</client-authentication-mode>
            <truststore>
                <path>/opt/hivemq/conf/hivemq-trust-store.jks</path>
                <password>******</password>
            </truststore>
        </tls>
...

We have imported our CA certificate into the server trust store. However, the connection still does not work:

 2023-07-19 15:51:40,012 - Client ID: UNKNOWN, IP: 80.69.*.* was disconnected. reason: SSL handshake failed.

Do we also need to import the certificates into TrustStore or is CA enough ?

Server TLS working well, but not the client.

Greetings

Hello @vfriesen ,

First off, welcome to the HiveMQ Community! We are always happy to see new users.

Typically, when utilizing TLS in this configuration, it’s best to have a client truststore generated from the server certificate, exported from the server keystore. This client-specific truststore will allow the client to successfully complete the TLS connection. More specific details on TLS implementation for a variety of configurations can be found on our How-Tos page, available here.

Specifically, I believe the “Generate a client JKS trust store” is the pertinent section.

Please let us know if you have any further questions, and once again welcome to the HiveMQ Community!

Best,
Aaron from the HiveMQ Team

Hello @AaronTLFranz ,
Thanks for your quick reply, we are so far. The client TrustStore is already created and also has the server certificate. TLS works. What is still not working for us is authentication. As soon as we enable client-authentication-mode, we get the error message above.
For testing, I have tried to use the certificates issued by AWS for the client to exclude that it is due to the self signed certs. With the same result. I imported the CA cert from AWS into the TrustStore of the server. without connection success

Hello @vfriesen

Which MQTT client tool are you using to perform this mutual TLS test? Can you please share the results by using MQTT CLI (GitHub - hivemq/mqtt-cli: MQTT CLI is a useful command line interface for connecting various MQTT clients supporting MQTT 5.0 and 3.1.1) sample command below?

mqtt sub -t topic -q 1 -h TYPE_YOUR_AWS_EC2_HOST -i tls-client --cafile /path/to/server.pem --key /path/to/mqtt-client-key.pem --cert /path/to/mqtt-client-cert.pem -d

Kind regards,
Diego from HiveMQ Team