I've configured mosquitto to listen on port 8883, and generated letsencrypt SSL certificates for the server. So far so good.
I can successfully test the TLS connection:
openssl s_client -connect mqtt.example.com:8883 gives me the certificate and session info, and mosquitto's logs report a successful connection.
I can also successfully publish a message using the paho python library.
However, when I try with mosquitto_pub it does this:
$ mosquitto_pub -h mqtt.example.com -p 8883 -u foobar -P "" -t foobar -m test
Client connection from XX.XX.XX.XX failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.
This seems to be a common problem, but none of the solutions I've found searching the web seem to apply to me because they generally involve the client identifying itself using a self-signed certificate.
So I'm stumped. Does anyone know what's causing this error?
To get mosquitto_pub to attempt to start a SSL connection you need to provide either --cafile or --capath that points to the location of the CA certificates to verify the broker.
Without these options neither mosquitto_pub or mosquitto_sub will not attempt to start a SSL session and instead try and connect with a normal unencrypted MQTT connection.
On most Linux distributions you can use --capath and point to /etc/ssl/certs directory