TLS not working

banjobyster · October 28, 2022, 3:31pm

The issue is I am trying to implement TLS following these two links:
https://www.hivemq.com/blog/end-to-end-encryption-in-the-cloud/
https://www.hivemq.com/blog/mqtt-client-library-mqtt-js/

Here below I have described what I did.

(1) keytool -genkey -keyalg RSA -alias hivemq -keystore hivemq.jks -storepass hello123 -validity 360 -keysize 2048

I created a .jks file using this command. Had the key for <hivemq> alias set to hellokey123

Checked the jks file using command: keytool -list -v -keystore hivemq.jks    
and it opened with password "hello123", thus no error in its creation

(2) Exported keystore to a .pem file using: keytool -exportcert -alias hivemq -keystore hivemq.jks -rfc -file server.pem

Checked the .pem file with command: openssl rsa -in server.pem -out private.key
Error given: 
unable to load Private Key
15156:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1k/crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

(3) Created .pem based client certificate using: openssl req -x509 -newkey rsa:2048 -keyout mqtt-client-key.pem -out mqtt-client-cert.pem -days 360

Checked the .pem files with command: openssl rsa -in [filename].pem -out private.key
The files were exported with the set pem passphrase

(4) Exported client certificate from the PEM file into an CRT file using command: openssl x509 -outform der -in mqtt-client-cert.pem -out mqtt-client-cert.crt

(5) Imported the certificate into a Java keystore using command: keytool -import -file mqtt-client-cert.crt -alias client -keystore hivemq-trust-store.jks -storepass hellotrust123

Checked the jks file using command: keytool -list -v -keystore hivemq-trust-store.jks
And it opened with password "hellotrust123", thus no error in its creation


/************************************************/

Configured config.xml as

    <listeners>
        <tcp-listener>
            <port>8883</port>
            <bind-address>0.0.0.0</bind-address>
            <name>my-tcp-listener</name>
        </tcp-listener>
        <tls-tcp-listener>
            <port>1883</port>
            <bind-address>0.0.0.0</bind-address>
            <proxy-protocol>true</proxy-protocol>
            <tls>
                <keystore>
                    <path>../hivemq.jks</path>
                    <password>hello123</password>
                    <private-key-password>hellokey123</private-key-password>
                </keystore>
                <client-authentication-mode>REQUIRED</client-authentication-mode>
                <truststore>
                    <path>../hivemq-trust-store.jks</path>
                    <password>hellotrust123</password>
                </truststore>
            </tls>
        </tls-tcp-listener>
    </listeners>


Now, in nodejs file using mqtt.js,

When I configure to use tcp port 8883, 
var options = {
    port: 8883,
    host: 'localhost'
};

it works,


But when I use configuration for port 1883
var options = {
    port: 1883,
    host: 'localhost',
    keyPath: '../mqtt-client-key.pem',
    certPath: '../mqtt-client-cert.pem',
    rejectUnauthorized : true,
    // The CA list will be used to determine if server is authorized
    ca: '../hivemq-server-cert.pem'
};

Nothing happens, no error. I don't understand what is happening. Would be really grateful if someone could help.

Folder strucutre is such:
root
|->Trial
|->|->nodeScript.js
|->mqtt-client-key.pem
|->mqtt-client-cert.pem
|->hivemq-server-cert.pem
|->hivemq-ce-2022.1
|->|->conf
|->|->|->config.xml
|->|->bin
|->|->|->run.sh

Daria_H · November 15, 2022, 1:38pm

Hi @banjobyster ,

Check if the listener is getting created. To check:

First, Find the file $HIVEMQ_HOME/conf/logback.xml and change the log level to DEBUG to get more details in the log. Change this line:

    <root level="${HIVEMQ_LOG_LEVEL:-INFO}">

change it to:

    <root level="${HIVEMQ_LOG_LEVEL:-DEBUG}">

Save your changes.
2. Next, Restart your HiveMQ again and check the log $HIVEMQ_HOME/log/hivemq.log. See if the listener tls-tcp-listener is started successfully or whether there is any error.

Kind regards,
Dasha from HiveMQ team

banjobyster · November 15, 2022, 2:46pm

Hello @Daria_H ,

I am getting this when starting HiveMQ.

2022-11-15 20:11:29,078 INFO - Starting TLS TCP listener on address 0.0.0.0 and port 1883

I looked at hivemq.log, and this is that I found

2022-11-15 20:11:26,048 DEBUG - Adding TCP Listener with TLS on bind address 0.0.0.0 and port 1883. Name: tls-tcp-listener-1883.

Rest, everything seems fine.

Daria_H · November 15, 2022, 3:41pm

@banjobyster

When the listener is started, you can try to connect an MQTT client to it. We suggest using MQTT-CLI. The Command to connect to a tls-tcp-listener and publish a message:

mqtt publish --topic Test --message Hello \
  --host <yourHost> --port <yourPort> \
  --cafile server.pem --cert client-cert.pem --key client-key.pem \
  --verbose

Where <yourPort> is in your case 1883.

Note that <yourHost> used in the command should be the same as CN in the certificate.
If you want another hostname, for example, if you create the certificate with CN=hivemq, but run your HiveMQ broker on the localhost, then you can update your /etc/hosts file and add to it:

127.0.0.1	hivemq

Also, note the option --verbose – it provides detailed information about the outcome of the command that is useful when you are troubleshooting. You can get help on mqtt-cli command by running mqtt <command> --help, for example, for the publish command, run

mqtt publish --help

Feel free to use our script that works for generating certificates, Keystore, and trust store.

I hope this helps,
Regards,
Dasha from HiveMQ Team

banjobyster · November 16, 2022, 4:23am

Hello @Daria_H ,

I guess I have been using mqtt-cli wrong so far, will use your instructions and update you with the progress. Thank you so much for helping so far.

banjobyster · November 16, 2022, 7:42am

Greetings @Daria_H ,
I followed your steps.

I am getting the following error after trying to connect via mqtt-cli

Invalid value for option ‘–key’: cannot convert ‘.\certs\client-key.pem’ to PrivateKey (unable to read encrypted data: 1.2.840.113549.1.5.13 not available: Cannot find any provider supporting 1.2.840.113549.3.7)

Can you please guide me how to solve this problem.

PS: Also, encountered another error while using your provided shell script. While generating .pem based client certificate and converting to .crt file, I encountered an error where

-subj “/CN=$clientName”

was getting appended after the bash path. Maybe error was happening due to running it via git bash. So solved that by updating the line to

-subj “//CN=$clientName”

Maybe you can mention that in the code cause it took a lot of time to figure that out as a beginner.

Topic		Replies	Views
Can't Connect OpenMV H7 Device to HiveMQ Cloud via TLS HiveMQ Cloud	1	319	December 11, 2023
MQTT Explorer - unable to verify the first certificate - Lets Encrypt	4	1870	June 17, 2023
TLS Mutual authentication problem HiveMQ Community Edition	1	707	June 28, 2023
Connection issue: CA certificate	3	615	July 20, 2023
Help regarding TLS configuration hivemq docker container HiveMQ Community Edition	1	1968	April 6, 2020

TLS not working

Related topics