I am hosting an MQTT broker on a linux server. So far none of the MQTT clients has any problem connecting (sub/pub) until I added the "crlfile" line in the Mosquitto configuration file. When I have the "crlfile" set in the configuration file, none of the clients can connect. What's weird is that the CRL file actually has no certs revoked. However, this error will come out for all clients:
Error: The connection was lost.
I am using Mosquitto 2.0.12 and here is my Mosquitto configuration file:
# For listener with port 1883
#listener 1883
# Set 8883 as the listener (port)
listener 8883
# Path to the password file
#password_file /etc/mosquitto/passwords
# Path to the cafile
cafile /etc/mosquitto/certs/ca.crt
# Path to the broker cert file
certfile /etc/mosquitto/certs/broker.crt
# Path to the broker key file
keyfile /etc/mosquitto/certs/broker.key
# Path to the CRL file
crlfile /etc/mosquitto/certs/ca.crl
# Whether a certificate is required to connect (Set to true for TLS)
require_certificate true
# Allow anonymous connection (Set to false for TLS)
allow_anonymous false
# Path to Dynamic Security Plugin
plugin /usr/lib/x86_64-linux-gnu/mosquitto_dynamic_security.so
# Path to Dynamic Security config file
plugin_opt_config_file /etc/mosquitto/conf.d/dynamic-security.json
# Whether each listener has the same settings
per_listener_settings false
I managed to fix the issue. The CRL file was generated using Python's cryptography library. The issue was that when I set the last update and next update datetime, I set it using my local time when I should've set it based on UTC time. So I changed my code from
crl_builder = crl_builder.last_update(datetime.utcnow())
crl_builder = crl_builder.next_update(datetime.utcnow() + timedelta(days=365000))
to
crl_builder = crl_builder.last_update(pytz.utc.localize(datetime.utcnow()))
crl_builder = crl_builder.next_update(pytz.utc.localize(datetime.utcnow()) + timedelta(days=365000))
And now my Mosquitto broker works fine :)