Problem configuring TLS WS

I would like to request help diagnosing a problem configuring TLS Websockets for a MQTT broker.

I created the keystore using this script and certs provided by CA for mqtt.hostname.com domain:

    brokerKeystoreName="hivemq"
    brokerKeystorePass="--redacted--"
    brokerCertName="mqtt_hostname_com/mqtt_hostname_com"
    rootCACertName="mqtt_hostname_com/DigiCertCA"

    #import broker cert.
    printf "yes\n" |keytool -import -file ${brokerCertName}.crt -alias "hivemq" \
      -keystore ${brokerKeystoreName}.jks -storepass $brokerKeystorePass

    #import root CA cert.
    printf "yes\n" |keytool -import -file ${rootCACertName}.crt -alias "digicert" \
      -keystore ${brokerKeystoreName}.jks -storepass $brokerKeystorePass

When I try to activate in the HiveMQ config file I get this error:
ERROR - Could not read the configuration file /opt/hivemq/conf/config.xml. Using default config

Here’s the config snippet

        <tls-websocket-listener>
            <port>443</port>
            <bind-address>0.0.0.0</bind-address>
            <path>/mqtt</path>
            <subprotocols>
                <subprotocol>mqttv3.1</subprotocol>
                <subprotocol>mqtt</subprotocol>
            </subprotocols>
            <allow-extensions>true</allow-extensions>
            <proxy-protocol>true</proxy-protocol>
            <tls>
                <client-authentication-mode>NONE</client-authentication-mode>
                <truststore>
                    <path>/opt/hivemq/conf/broker-truststore.jks</path>
                    <password>--redacted--</password>
                </truststore>
            </tls>
        </tls-websocket-listener>

If I remove the tls-websocket-listener element the rest of config.xml works as expected. Is the problem related to the truststore?

Hi @aim4apex,

it seems you are using the wrong store tag, can you please rename truststore to keystore and try again and add the private-key-password as shown in example below.

You only need the truststore when you want to verify certs from clients but as you have
client-authentication-mode set to NONE we don’t need this.

Keystore config example:

<keystore>
   <path>/path/to/the/key/store.jks</path>
   <password>password-keystore</password>
   <private-key-password>password-key</private-key-password>
</keystore>

Greetings,
Michael from the HiveMQ team

1 Like

Thank you for the helpful reply.