I have a application which is supposed to make a TLS connection to the free serverless MQTT option. To check that the application is working as intended, i have tried running the hivemq4 docker image with TLS enabled, and the device can connect to it just fine. However when trying to connect to the Cloud broker it fails.
I am able to connect to the cloud via the same network, using the MQTTX program.
Info about the application:
CPU: STM32F429 with external SDRAM
Encryption lib: WolfSSL
MQTT client: costume made bareminium for MQTT v3.1
Hello @sync_this ,
First off, welcome to the HiveMQ Community!
To start with, there are some additional requirements that are worth mentioning when utilizing a HiveMQ Cloud free serverless host. Namely, that the certificate provided is signed by the CA ‘Let’s Encrypt’, and TLS-SNI is required.
While most devices accept Let’s Encrypt signed certs automatically, some devices require the server CA file be provided for validation. This can be obtained here.
TLS-SNI is an extension of TLS that allows for hostname validation during TLS handshakes, and this is required for connecting devices - it is worthwhile to ensure that this is supported with the TLS implementation utilized.
As for the HiveMQ4 docker image, it may be worth clarifying how this was configured - if using mTLS, self-signed certificates, etc.
Let us know if you have any further questions, or additional details we can assist with!
Best,
Aaron from the HiveMQ Team
Hello AaronTLFranz
I have 2 HiveMQ Cloud Serverless clusters running in 2 different accounts (mine and my son’s).
I have trouble to connect with the MQTT Explorer to the HiveMQ Cloud Serverless on certain Windows 11 installations.
I provide the Let’s Encrypt CA to the MQTT Explorer as Server certificate, but I still get the message: connection refused: not authorized.
But I can connect on other Windows 11 installations with the same credentials.
And on the Windows 11 installations where I can’t connect to one cluster, I can connect to a different cluster!?
Any idee what I’m doing wrong?
Regards Stefan
Hello @longjogger951 ,
Thank you for the outreach, and welcome to HiveMQ!
As you’ve noted, using the provided Let’s Encrypt CA to connecting clients as a server certificate is the right way to go - oftentimes, clients will trust Let’s Encrypt signed certificates automatically, but this method can be used to avoid any complications, and make sure that the server is trusted without any need for implicit trust.
If possible, I would ask you to provide the current configuration you’re using for MQTT Explorer so that we can take a look to verify if there are any options that may be complicating the connection pipeline.
I would clarify the following :
- When using HiveMQ Cloud in its default configuration, this TLS is one-way, meaning that client certificates are not validated against a truststore during authentication.
- TLS-SNI is required, and supported by most client implementations.
- “Not Authorized” errors typically indicate that either improper credentials were using during authentication, or the client attempted to perform an action on connect that it was not permitted to do based on the permissions applied to the utilized credentials.
- For example, MQTT Explorer oftentimes subscribes to the topic ‘#’ automatically on connection. If this permission is not applied, the session will be terminated immediately on connect as the subscription is not valid.
- The built in Windows firewall can block some applications from utilizing specific ports - I would recommend ensuring that port 8883 - the default MQTT TLS port - is open and available on the machines in which you are looking to connect.
Let us know if you are able to connect successfully, or have any additional questions!
Best,
Aaron from the HiveMQ Team
Hello Aaron
thank you for your support.
I could solve this issue - I just created a new Serverless Cluster, added the required users, and everything works fine now. From any different clients.
Thank you again.
Regards Stefan