I'm trying to estabilish a TLS mqtt bridge between my local network and a cloud running mqtt server but am not being able to create it.
I've configured a broker (call it remote_broker) to accept certificate authenticated connections (require_certificate, use_identity_as_username, keyfile, certfile and cafile) and after configuring the client certificates I was able to directly publish and subscribe to topics (using mosquitto_pub and mosquitto_sub).
When I try to configure the bridge from the other broker (call it local_broker) to the remote one, again with certificate authentication, it fails. The log in the remote_broker presents a openssl error stating that "peer did not present a certificate" (See remote_broker logs) . On the local server, the connection is just stated as failed before the SSL handshake is finished (see below the local_broker logs) and so no mqtt session is even started. From the logs it seems that both parties are starting the TLS handshake but it fails because the client is not identifying itself properly.
remote_broker logs:
2020-10-05T23:55:17Z: New connection from 127.0.0.1 on port 8883.
2020-10-05T23:55:17Z: OpenSSL Error[0]: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
2020-10-05T23:55:17Z: Socket error on client <unknown>, disconnecting.
local_broker logs:
2020-10-05T23:55:17Z: Bridge local.mqttserver.local-remote doing local SUBSCRIBE on topic shelleys/#
2020-10-05T23:55:17Z: Bridge local.mqttserver.local-remote doing local SUBSCRIBE on topic tele/#
2020-10-05T23:55:17Z: Connecting bridge (step 1) local-remote (localhost:8883)
2020-10-05T23:55:17Z: Connecting bridge (step 2) local-remote (localhost:8883)
2020-10-05T23:55:17Z: Bridge mqttserver.local-remote sending CONNECT
2020-10-05T23:55:17Z: OpenSSL Error[0]: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
The local_broker bridge configuration is contained in a file inside the conf.d directory and has the content below (For now I am using an ssh tunnel to access the cloud machine - hence the localhost name as the reference for the remote_broker IP address):
connection local_remote
address localhost:8883
topic shelleys/# out
topic tele/# out
bridge_cafile /etc/mosquitto/ca_certificates/RootCA.crt
bridge_certfile /etc/mosquitto/certs/bridgeClient.crt
#bridge_keyfile /etc/mosquitto/certs/bridgeClient.key
the parameter bridge_keyfile is commented out as the local_broker for the bridge connection is behaving as a client (or so I understood) so it is not needed but I tried uncommenting it but the behaviour did not change.
The certificates were signed by the same CA, whose public certificate is present in both brokers and refered to in the configuration in the 'bridge_cafile' in the local_broker and in the ca_file in the remote_broker. The remote_broker certificate was issued to the 'localhost' so that it matches the address parameter mentioned domain name.
I've tried several of the other bridge TLS parameters that might influence the connection behaviour such as 'bridge_insecure', 'bridge_protocol_version', 'bridge_require_ocsp' and 'bridge_tls_version' but none changed the behaviour.
Does anyone know what is missing in the configuration for the local_broker bridge client to send its certificate and so identify itself?
Thanks.
@hardillb you are right. I've reviewed and repeated my configuration with regarding to your comment and after it successfully connected. The final config was the presented below. Not sure why it was not working before when I tested it with the bridge_keyfile activated.
connection local_remote
address localhost:8883
topic shelleys/# out
topic tele/# out
bridge_cafile /etc/mosquitto/ca_certificates/RootCA.crt
bridge_certfile /etc/mosquitto/certs/bridgeClient.crt
bridge_keyfile /etc/mosquitto/certs/bridgeClient.key
Thanks for the help.