I have a docker-compose file where I have a MQTT container and a python app container. The MQTT container must be able to accept connections over tls and port 8883 from the outside world. Only a client located in the other python app container should be able to connect unencrypted over port 1883.
Certificates seems to be ok. if i only enable listener 8883 then communication works. Also if i only enable listener 1883 it works too. Only if i use together i doesnt work.
The issue is that when i put listener 8883 0.0.0.0 and listener 1883 0.0.0.0 in the config file then i cant connect at port 8883 with certs and neither at port 1883.
compose file:
version: '3.8'
services:
nginx-proxy:
.
.
networks:
- frontend
- mqtt
app:
.
.
networks:
- frontend
- backend
- mqtt
mqtt-8vv30kj5g5u4:
.
.
networks:
- mqtt
networks:
frontend:
name: frontend-network
backend:
name: backend-network
mqtt:
name: mqtt-network
My mosquitto.conf file:
listener 8883 0.0.0.0
listener 1883 0.0.0.0
max_connections -1
protocol mqtt
certfile /mosquitto/config/certificates/server.crt
keyfile /mosquitto/config/certificates/server.key
crlfile /mosquitto/config/certificates/ca.crl
require_certificate true
cafile /mosquitto/config/certificates/ca.crt
allow_anonymous true
Connecting over port 8883 using tls i get the error SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1129) at client side. The mosquitto.log file in broker says:
1654783087: New connection from 172.28.0.2:57262 on port 8883.
1654783087: Client <unknown> disconnected due to malformed packet.
Connecting over port 1883 throws no error. But the mosquitto.log file says:
1654783976: New connection from 172.28.0.6:38193 on port 1883.
1654783976: OpenSSL Error[0]: error:1404A42E:SSL routines:ST_ACCEPT:tlsv1 alert protocol version
1654783976: Client <unknown> disconnected: Protocol error.
Can you maybe see an error?
Order in the mosquitto.conf file is important.
With
listener 8883 0.0.0.0
listener 1883 0.0.0.0
max_connections -1
protocol mqtt
certfile /mosquitto/config/certificates/server.crt
keyfile /mosquitto/config/certificates/server.key
crlfile /mosquitto/config/certificates/ca.crl
require_certificate true
cafile /mosquitto/config/certificates/ca.crt
allow_anonymous true
You have defined listener 8883 0.0.0.0 with the default settings (no ssl at all) and listener 1883 0.0.0.0 with all the SSL config that follows in the config file.
What you probably want is this:
per_listener_settings true
listener 1883 0.0.0.0
allow_anonymous true
listener 8883 0.0.0.0
max_connections -1
certfile /mosquitto/config/certificates/server.crt
keyfile /mosquitto/config/certificates/server.key
crlfile /mosquitto/config/certificates/ca.crl
require_certificate true
cafile /mosquitto/config/certificates/ca.crt
allow_anonymous false
This sets up SSL on port 8883 (and disables anonymous connections since you are requiring a client SSL cert) and allows anonymous access on port 1883