Mosquitto 无法使用 LetsEncrypt 的证书

Mosquitto 无法使用 LetsEncrypt 的证书

我正在尝试使用本指南设置 Mosquitto: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-18-04

我使用的是 ubuntu 20.04,但我找不到任何特定于 Focal 的指南。

当我第一次安装它时,我可以毫无问题地启动和重新启动该服务。但是,添加我的 cofig 文件似乎会破坏它,特别是密钥文件行。我已经从 Ubuntu 存储库和 PPA 尝试了 Mosquitto。

我创建conf文件后出现错误,如下所示:

allow_anonymous false
password_file /etc/mosquitto/pwfile

listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/mydomain/cert.pem
cafile /etc/letsencrypt/live/mydomain/chain.pem
keyfile /etc/letsencrypt/live/mydomain/privkey.pem

listener 8083
protocol websockets
certfile /etc/letsencrypt/live/mydomain/cert.pem
cafile /etc/letsencrypt/live/mydomain/chain.pem
keyfile /etc/letsencrypt/live/mydomain/privkey.pem

当我在添加上述conf文件后重新启动服务时,它失败了,这就是journalctl -xe

-- A start job for unit mosquitto.service has begun execution.
-- 
-- The job identifier is 4722.
Dec 20 06:45:32 thestash mosquitto[10010]: 1608464732: Loading config file /etc/mosquitto/conf.d/default.conf
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Main process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- An ExecStart= process belonging to unit mosquitto.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Dec 20 06:45:32 thestash systemd[1]: Failed to start Mosquitto MQTT Broker.
-- Subject: A start job for unit mosquitto.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit mosquitto.service has finished with a failure.
-- 
-- The job identifier is 4722 and the job result is failed.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Scheduled restart job, restart counter is at 5.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- Automatic restarting of the unit mosquitto.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Dec 20 06:45:32 thestash systemd[1]: Stopped Mosquitto MQTT Broker.
-- Subject: A stop job for unit mosquitto.service has finished
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A stop job for unit mosquitto.service has finished.
-- 
-- The job identifier is 4794 and the job result is done.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Start request repeated too quickly.
Dec 20 06:45:32 thestash systemd[1]: mosquitto.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Dec 20 06:45:32 thestash systemd[1]: Failed to start Mosquitto MQTT Broker.
-- Subject: A start job for unit mosquitto.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit mosquitto.service has finished with a failure.
-- 
-- The job identifier is 4794 and the job result is failed.
Dec 20 06:45:34 thestash sudo[10011]: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/nano /etc/mosquitto/conf.d/default.conf
Dec 20 06:45:34 thestash sudo[10011]: pam_unix(sudo:session): session opened for user root by admin(uid=0)
Dec 20 06:45:38 thestash sudo[10011]: pam_unix(sudo:session): session closed for user root
Dec 20 06:45:38 thestash kernel: [UFW BLOCK] IN=eth0 OUT= MAC=d6:32:76:db:0a:3b:18:2a:d3:e0:df:f0:08:00 SRC=45.129.33.168 DST=104.236.7.145 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=11309 PROTO=TCP SPT=59534 DPT=21661 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 20 06:45:44 thestash sudo[10013]: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Dec 20 06:45:44 thestash sudo[10013]: pam_unix(sudo:session): session opened for user root by admin(uid=0)


如果我注释掉keyfiledefault.conf 中的行,服务将重新启动而不会出现错误。密钥就在那里,似乎不会对我的服务器上的其他任何内容造成问题。

并且mosquitto.log文件表明确实是读取证书的问题。权限问题似乎是一个不错的猜测,但我不明白为什么这仅对privkey.pem其他两个文件有问题,而其他两个文件也具有相同的权限。另外,nginx 可以使用我的证书而无需拥有它们。

1608463912: mosquitto version 2.0.3 starting
1608463912: Config loaded from /etc/mosquitto/mosquitto.conf.
1608463912: Opening ipv4 listen socket on port 1883.
1608463912: Opening ipv4 listen socket on port 8883.
1608463912: Opening ipv6 listen socket on port 8883.
1608463912: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mylittlestashbox.com/chain.pem".
1608463912: Error: Unable to load server certificate "/etc/letsencrypt/live/mylittlestashbox.com/cert.pem". Check certfile.
1608463912: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
1608463912: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib
1608463912: OpenSSL Error[2]: error:140DC002:SSL routines:use_certificate_chain_file:system lib
1608464267: mosquitto version 2.0.3 starting
1608464267: Config loaded from /etc/mosquitto/mosquitto.conf.
1608464267: Opening ipv4 listen socket on port 1883.
1608464267: Opening ipv4 listen socket on port 8883.
1608464267: Opening ipv6 listen socket on port 8883.
1608464267: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mylittlestashbox.com/chain.pem".
/var/log/mosquitto/mosquitto.log

答案1

检查证书路径的权限。在 debian 下更新我的 pi 上的 mosquitto 服务器后,我遇到了同样的问题...我解决了这些问题:

sudo su
chmod 755 /etc/letsencrypt/archive
chmod 755 /etc/letsencrypt/live

答案2

我遇到过同样的问题。我是这样解决的:

首先,我检查了 /etc/mosquitto 中 ca_certificates 和 certs 文件夹中文件的默认权限(README)。它是-rw-r--r--(644)。所以我设置了所有证书文件的权限。

sudo chmod 0644 ./ca_certificates/* ./certs/*

还有文件夹的权限。他们是drwxr-xr-x (755)

sudo chmod 0755 ./ca_certificates ./certs

相关内容