had a mosquitto 1.x running fine on Debian 10 (with SSL). Along with the upgrade to Debian 11 came mosquitto 2.0.11-1.
I had to make a couple of config file adjustments to get it to start at all. Already read through https://mosquitto.org/documentation/migrating-to-2-0/
For testing I currently start the daemon with this command interactively:
/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -v
But now clients cannot connect anymore, regardless of their client type (I have a wide variety of them). For every client connection attempt I get a log entry like this:
1629544574: New connection from x.x.x.x:54278 on port 8883.
1629544574: Client <unknown> disconnected due to protocol error.
This is the main config file:
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
#Plain
#listener 1883
#SSL
listener 8883
#keepalive_interval 600
# Do not require authentication
allow_anonymous true
log_type all
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
And this is the SSL one (the only file in conf.d):
cafile /etc/mosquitto/certs/ca.cer
certfile /etc/mosquitto/certs/mqtt.cer
keyfile /etc/mosquitto/certs/mqtt.key
dhparamfile /etc/mosquitto/certs/dhparam.pem
#tls_version tlsv1.2
The cert related files all exist:
root@linux06:/etc/mosquitto# ls -l certs/
total 28
-rw-r--r-- 1 mosquitto mosquitto 3915 Apr 28 02:36 ca.cer
-rw-r----- 1 mosquitto mosquitto 424 Aug 21 12:45 dhparam.pem
-rwxr-xr-- 1 mosquitto mosquitto 3546 Apr 28 02:36 mqtt.cer
-rwxr-x--- 1 mosquitto mosquitto 3243 Apr 28 02:36 mqtt.key
-rwxr-x--- 1 mosquitto mosquitto 7528 Apr 28 02:36 mqtt.p7b
-rw-r--r-- 1 mosquitto mosquitto 130 Apr 28 02:36 README
Accepting all certificates in clients doesn't help unfortunately. That way I at least had something to start with.
When I move the ssl config file away, hence deactivating SSL, a client can connect just fine when trying a plain connection.
What I find a bit weird is this. This shouldn't be, should it?
root@linux06:~# openssl s_client -connect 127.0.0.1:8883 -showcerts
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
root@linux06:~#
The certificate is still fine (although it will expire soon; masked few contents):
root@linux06:~# openssl x509 -text -in /etc/mosquitto/certs/mqtt.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:00:00:02:07:9a:37:38:09:44:97:a3:6c:00:01:00:00:02:07
Signature Algorithm: sha512WithRSAEncryption
Issuer: DC = org, DC = masked, DC = masked, CN = masked
Validity
Not Before: Aug 26 13:20:32 2019 GMT
Not After : Aug 25 13:20:32 2021 GMT
Subject: C = DE, ST = NA, L = nowhere, OU = masked
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:c3:55:4a:ec:47:ba:65:ee:1c:b4:ac:72:73:0d:
4b:c3:ae:94:8c:35:d8:1c:99:7e:0e:d9:12:3b:cf:
c9:6f:2a:f1:c0:e6:10:3e:52:df:a7:5a:36:73:6a:
I'm at my wits end. Does anyone have an idea why this fails? I've dug through the example config, filesystem permissions and webpages. But I can't seem to find the reason for this failing.
