Hey there,
I try to use HiveMQ with certificate offered by letsencrypt, unfortunately there is some validation issue with the JKS.
Those are my ssl/keytool commands:
openssl pkcs12 -export -in $CERTPATH/domain.tld/cert.pem -inkey $CERTPATH/domain.tld/privkey.pem -CAfile $CERTPATH/domain.tld/fullchain.pem -caname 'ISRG Root X1' -out '/tmp/domain.tld.p12' -name domain.tld -password pass:$JKS_PASS
keytool -importkeystore -srcstoretype PKCS12 -srckeystore '/tmp/domain.tld.p12' -srcstorepass $JKS_PASS -destkeystore /opt/hivemq/conf/domain.tld.jks -deststorepass $JKS_PASS -alias domain.tld
Maybe you faced a similar challenge using MQTT and some public CA.
Some certificate details here:
Hello @Dominic ,
Thank you for the outreach, and welcome to the HiveMQ Community!
Could you please clarify which broker we are looking to connect to that we are providing the certificate for? Based on the details you’ve provided regarding the certificate, it sounds like this may be a cloud broker but as the configuration for HiveMQ Cloud and other HiveMQ brokers are different, I want to be sure of this to offer the most accurate information possible.
Could you also provide the specific errors that you are encountering when attempting to use the certificate?
Additionally, here are some more resources for certificate implementation :
HiveMQ Broker (non-cloud) How-To Guide for server-side TLS
HiveMQ Cloud Server CA File (within the FAQ)
HiveMQ Cloud Community Forum Thread Regarding TLS Configuration
Best,
Aaron from HiveMQ Team
Hey Aaron,
Sure, I am using the on prem HiveMQ Broker, located on a Debian 12 VM. Some time ago, I already had a HiveMQ using Let’s Encrypt / certbot working.
The keystore looks valid to me.
Hello @Dominic ,
Thank you for the follow-up!
Could you please provide errors that are presented when attempting to complete a connection, as well as a config.xml for the broker that is using this certificate? Please obfuscate any privileged areas, such as passwords or file paths.
Based on initial review, the process here looks solid, but I want to ensure that we have a complete picture to investigate.
Best,
Aaron from the HiveMQ Team
Seems, that I got it.
Sure, here is my current config:
config.xml
<hivemq>
<listeners>
<tcp-listener>
<name>IP1-Listener-MQTT</name>
<port>1883</port>
<bind-address>172.16.0.1</bind-address>
</tcp-listener>
<tcp-listener>
<name>IP2-Listener-MQTT</name>
<port>1883</port>
<bind-address>172.16.0.2</bind-address>
</tcp-listener>
<tls-tcp-listener>
<name>IP1-Listener-MQTTS</name>
<port>1884</port>
<bind-address>172.16.0.1</bind-address>
<tls>
<keystore>
<path>/opt/hivemq/conf/mqtt.domain.tld.jks</path>
<password>pw-goes-here</password>
<private-key-password>pw-goes-here</private-key-password>
</keystore>
</tls>
</tls-tcp-listener>
<tls-tcp-listener>
<name>IP2-Listener-MQTTS</name>
<port>1884</port>
<bind-address>172.16.0.2</bind-address>
<tls>
<keystore>
<path>/opt/hivemq/conf/mqtt.domain.tld.jks</path>
<password>pw-goes-here</password>
<private-key-password>pw-goes-here</private-key-password>
</keystore>
</tls>
</tls-tcp-listener>
<websocket-listener>
<port>8000</port>
<bind-address>0.0.0.0</bind-address>
<path>/mqtt</path>
<subprotocols>
<subprotocol>mqttv3.1</subprotocol>
<subprotocol>mqtt</subprotocol>
</subprotocols>
<allow-extensions>true</allow-extensions>
</websocket-listener>
</listeners>
<web-ui>
<enabled>true</enabled>
</web-ui>
</hivemq>
get-cert.sh
openssl pkcs12 -export -in $CERTPATH/$MAINDOMAIN/fullchain.pem -inkey $CERTPATH/$MAINDOMAIN/privkey.pem -out '/tmp/'$MAINDOMAIN'-tmp.p12' -name $MAINDOMAIN -password pass:$JKS_PASS
keytool -importkeystore -srcstoretype PKCS12 -srckeystore '/tmp/'$MAINDOMAIN'-tmp.p12' -srcstorepass $JKS_PASS -destkeystore /opt/hivemq/conf/$MAINDOMAIN.jks -deststorepass $JKS_PASS -alias $MAINDOMAIN
# delete temp file
if [ -f '/tmp/'$MAINDOMAIN'-tmp.p12' ] ; then
rm '/tmp/'$MAINDOMAIN'-tmp.p12' > /dev/null
fi
So i personally think, that its something java/jks or letsencrypt related, but maybe thats something you or existing HiveMQ customers faced. I also had some services running, but it seems that i missed something with the current one. I used different ways to utilize “openssl pkcs12 -export” in the script.
As client I used MQTT Explorer with the Validate certificate option, but maybe i found an issue within the MQTT-Explorer. By the time of testing it i found MQTTX works, MQTT Explorer says: Certificate has expired, which is not true. BTW: of course i used the tld to connect to the broker.
