连接到 mosquitto 失败,错误代码为“错误:1408F10B:SSL 例程:ssl3_get_record:错误版本号”

连接到 mosquitto 失败,错误代码为“错误:1408F10B:SSL 例程:ssl3_get_record:错误版本号”

我在使用 SSL 配置 mosquitto 时遇到问题。明文 (1883) 下一切正常,但当我进行 SSL 配置并测试它 (8883) 时,我收到以下错误:

mosquitto_pub --host 127.0.0.1 --port 8883 --topic test -m "bankai" --key /etc/mosquitto/certs/server.key --cert /etc/mosquitto/certs/server.crt
Error: The connection was lost.
    
1659527333: Client connection from 127.0.0.1 failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
mosquitto_pub --host my.server.org --port 8883 --topic test -m "bankai" --key /etc/mosquitto/certs/server.key --cert /etc/mosquitto/certs/server.crt
Error: The connection was lost.
    
1659527333: Client connection from 147.xxx.yyy.zzz failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
mosquitto_pub --host 127.0.0.1 --port 8883 --topic test -m "bankai" --cafile /etc/mosquitto/ca_certificates/ca.crt
Error: A TLS error occurred.
    
1659527858: New connection from 127.0.0.1 on port 8883.
mosquitto_pub --host my.server.org --port 8883 --topic test -m "bankai" --cafile /etc/mosquitto/ca_certificates/ca.crt
Error: The connection was lost.
    
1659528143: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1659528143: Socket error on client <unknown>, disconnecting.
1659528184: New connection from 147.xxx.yyy.zzz on port 8883.

我真的需要你的帮助,因为我不知道现在该怎么办!提前谢谢 :)


在SSL配置方面,按照文档:

  • 我创建了一个 CA 密钥对

openssl genrsa -out ca.key 2048

  • 我创建了一个 CA 证书并使用证书密钥签署

openssl req -new -x509 -days 3650 -extensions v3_ca -key ca.key -out ca.crt -subj "/C=FR/ST=Occitanie/L=Toulouse/O=MyCompany/OU=MyUnit/CN=my.server.org"

  • 我为 MQTT 服务器创建了一对密钥

openssl genrsa -out server.key 2048

  • 我使用创建了一个 CSR 文件服务器密钥

openssl req -new -out server.csr -key server.key -subj "/C=FR/ST=Occitanie/L=Toulouse/O=MyCompany/OU=MyUnit/CN=my.server.org" -addext subjectAltName=IP:147.xxx.yyy.zzz,IP:192.168.xxx.yyy,IP:127.0.0.1,DNS:my.server.org,DNS:myhostname,DNS:localhost

  • 我用过证书密钥签署服务器端并创造服务器端

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650

  • 我将 ca.crt、server.crt 和 server.key 文件复制到相应的 mosquitto 文件夹
cp /etc/ssl/mycerts/mosquitto/ca.crt /etc/mosquitto/ca_certificates/ca.crt
cp /etc/ssl/mycerts/mosquitto/server.crt /etc/mosquitto/certs/server.crt
cp /etc/ssl/mycerts/mosquitto/server.key /etc/mosquitto/certs/server.key
  • 我创建并配置了 /etc/mosquitto/conf.d/ssl.conf 文件如下:
#
# configuration mosquitto SSL
#

# port
listener 8883

# ssl files
cafile   /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile  /etc/mosquitto/certs/server.key

# tls options
require_certificate true
tls_version tlsv1.2
  • 我重启了 mosquitto 服务
systemctl restart mosquitto.service
systemctl status mosquitto.service

        ● mosquitto.service - Mosquitto MQTT v3.1/v3.1.1 Broker
           Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)
           Active: active (running) since Tue 2022-07-26 14:12:48 CEST; 15s ago
             Docs: man:mosquitto.conf(5)
                   man:mosquitto(8)
         Main PID: 30769 (mosquitto)
            Tasks: 1 (limit: 2059)
           CGroup: /system.slice/mosquitto.service
                   └─30769 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

        Jul 26 14:12:48 raspberrypi systemd[1]: Starting Mosquitto MQTT v3.1/v3.1.1 Broker...
        Jul 26 14:12:48 raspberrypi mosquitto[30769]: Loading config file /etc/mosquitto/conf.d/ssl.conf
        Jul 26 14:12:48 raspberrypi systemd[1]: Started Mosquitto MQTT v3.1/v3.1.1 Broker.
  • 我检查了 8883 端口是否正在监听
netstat -plunt | grep mosquitto

        tcp        0      0 0.0.0.0:8883            0.0.0.0:*               LISTEN      30769/mosquitto
        tcp        0      0 0.0.0.0:1883            0.0.0.0:*               LISTEN      30769/mosquitto
        tcp6       0      0 :::8883                 :::*                    LISTEN      30769/mosquitto
        tcp6       0      0 :::1883                 :::*                    LISTEN      30769/mosquitto
  • 我为客户端创建了一对密钥

openssl genrsa -des3 -out client.key 2048

  • 我使用创建了一个 CSR 文件客户端密钥

openssl req -new -out client.csr -key client.key -subj "/C=FR/ST=Occitanie/L=Toulouse/O=MyCompany/OU=MyUnit/CN=147.xxx.yyy.zzz"

  • 我用过证书密钥签署客户端.csr并创造客户端证书

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650

相关内容