我在使用 SSL 配置 mosquitto 时遇到问题。明文 (1883) 下一切正常,但当我进行 SSL 配置并测试它 (8883) 时,我收到以下错误:
mosquitto_pub --host 127.0.0.1 --port 8883 --topic test -m "bankai" --key /etc/mosquitto/certs/server.key --cert /etc/mosquitto/certs/server.crt
Error: The connection was lost.
1659527333: Client connection from 127.0.0.1 failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
mosquitto_pub --host my.server.org --port 8883 --topic test -m "bankai" --key /etc/mosquitto/certs/server.key --cert /etc/mosquitto/certs/server.crt
Error: The connection was lost.
1659527333: Client connection from 147.xxx.yyy.zzz failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
mosquitto_pub --host 127.0.0.1 --port 8883 --topic test -m "bankai" --cafile /etc/mosquitto/ca_certificates/ca.crt
Error: A TLS error occurred.
1659527858: New connection from 127.0.0.1 on port 8883.
mosquitto_pub --host my.server.org --port 8883 --topic test -m "bankai" --cafile /etc/mosquitto/ca_certificates/ca.crt
Error: The connection was lost.
1659528143: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1659528143: Socket error on client <unknown>, disconnecting.
1659528184: New connection from 147.xxx.yyy.zzz on port 8883.
我真的需要你的帮助,因为我不知道现在该怎么办!提前谢谢 :)
在SSL配置方面,按照文档:
- 我创建了一个 CA 密钥对
openssl genrsa -out ca.key 2048
- 我创建了一个 CA 证书并使用证书密钥签署
openssl req -new -x509 -days 3650 -extensions v3_ca -key ca.key -out ca.crt -subj "/C=FR/ST=Occitanie/L=Toulouse/O=MyCompany/OU=MyUnit/CN=my.server.org"
- 我为 MQTT 服务器创建了一对密钥
openssl genrsa -out server.key 2048
- 我使用创建了一个 CSR 文件服务器密钥
openssl req -new -out server.csr -key server.key -subj "/C=FR/ST=Occitanie/L=Toulouse/O=MyCompany/OU=MyUnit/CN=my.server.org" -addext subjectAltName=IP:147.xxx.yyy.zzz,IP:192.168.xxx.yyy,IP:127.0.0.1,DNS:my.server.org,DNS:myhostname,DNS:localhost
- 我用过证书密钥签署服务器端并创造服务器端
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650
- 我将 ca.crt、server.crt 和 server.key 文件复制到相应的 mosquitto 文件夹
cp /etc/ssl/mycerts/mosquitto/ca.crt /etc/mosquitto/ca_certificates/ca.crt
cp /etc/ssl/mycerts/mosquitto/server.crt /etc/mosquitto/certs/server.crt
cp /etc/ssl/mycerts/mosquitto/server.key /etc/mosquitto/certs/server.key
- 我创建并配置了 /etc/mosquitto/conf.d/ssl.conf 文件如下:
#
# configuration mosquitto SSL
#
# port
listener 8883
# ssl files
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
# tls options
require_certificate true
tls_version tlsv1.2
- 我重启了 mosquitto 服务
systemctl restart mosquitto.service
systemctl status mosquitto.service
● mosquitto.service - Mosquitto MQTT v3.1/v3.1.1 Broker
Loaded: loaded (/lib/systemd/system/mosquitto.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-07-26 14:12:48 CEST; 15s ago
Docs: man:mosquitto.conf(5)
man:mosquitto(8)
Main PID: 30769 (mosquitto)
Tasks: 1 (limit: 2059)
CGroup: /system.slice/mosquitto.service
└─30769 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
Jul 26 14:12:48 raspberrypi systemd[1]: Starting Mosquitto MQTT v3.1/v3.1.1 Broker...
Jul 26 14:12:48 raspberrypi mosquitto[30769]: Loading config file /etc/mosquitto/conf.d/ssl.conf
Jul 26 14:12:48 raspberrypi systemd[1]: Started Mosquitto MQTT v3.1/v3.1.1 Broker.
- 我检查了 8883 端口是否正在监听
netstat -plunt | grep mosquitto
tcp 0 0 0.0.0.0:8883 0.0.0.0:* LISTEN 30769/mosquitto
tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 30769/mosquitto
tcp6 0 0 :::8883 :::* LISTEN 30769/mosquitto
tcp6 0 0 :::1883 :::* LISTEN 30769/mosquitto
- 我为客户端创建了一对密钥
openssl genrsa -des3 -out client.key 2048
- 我使用创建了一个 CSR 文件客户端密钥
openssl req -new -out client.csr -key client.key -subj "/C=FR/ST=Occitanie/L=Toulouse/O=MyCompany/OU=MyUnit/CN=147.xxx.yyy.zzz"
- 我用过证书密钥签署客户端.csr并创造客户端证书
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650