Test VerneMQ broker TLS with Mosquitto client

Introduction

Hi there,

it’s almost New Year and happily wishing you all the best, before going deeper into my problem!

Background

  • I setup and configured VerneMQ Broker. Broker is in docker container and I start it using docker-compose.yml. This is how my docker-compose file looks:
version: '3.3'
services:
  db:
    image: erlio/docker-vernemq
    container_name: vernemq1
    network_mode: docker_mysql_default
    restart: always
    environment:
      DOCKER_VERNEMQ_ALLOW_ANONYMOUS: 'off'
      DOCKER_VERNEMQ_PLUGINS.vmq_diversity: 'on'
      DOCKER_VERNEMQ_PLUGINS.vmq_passwd: 'off'
      DOCKER_VERNEMQ_PLUGINS.vmq_acl: 'off'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.auth_mysql.enabled: 'on'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.host: 'docker_mysql'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.port: '3306'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.user: 'vernemq'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.password: 'vernemq'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.database: 'vernemq_db'
      DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.password_hash_method: 'md5'
      DOCKER_VERNEMQ_LISTENER__SSL__CAFILE: '/vernemq/etc/ssl/chain.pem'
      DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE: '/vernemq/etc/ssl/cert.pem'
      DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE: '/vernemq/etc/ssl/privkey.pem'
      DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT: '0.0.0.0:8081'
      DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__USE_IDENTITY_AS_USERNAME: 'off'
      DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__REQUIRE_CERTIFICATE: 'off'
    ports:
      # <Port exposed> : <Port running inside container>
      - '1883:1883'
      - '8081:8081'
    expose:
      # Opens port 1883 on the container
      - '1883'
      - '8081'
      # Where our data will be persisted
    volumes:
     - /var/lib/
     - /home/ubuntu/etc/ssl:/vernemq/etc/ssl
# Name our volume
volumes:
  my-db:

  • I am using MySQL database for authentication
  • I am trying to use TLS certificates, based on the provided documentation ( https://docs.vernemq.com/configuration/listeners#sample-ssl-config )
  • This setup is fully functional when I’m not trying to accept SSL connections (this means, when I remove the following lines from docker-compose.yml):
DOCKER_VERNEMQ_LISTENER__SSL__CAFILE: '/vernemq/etc/ssl/chain.pem'
DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE: '/vernemq/etc/ssl/cert.pem'
DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE: '/vernemq/etc/ssl/privkey.pem'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT: '0.0.0.0:8081'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__USE_IDENTITY_AS_USERNAME: 'off'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__REQUIRE_CERTIFICATE: 'off'
  • I tested/verified the TLS connection using openssl client:

    openssl s_client -connect 172.18.0.4:8081 -key privkey.pem -cert cert.pem

    I executed this from server localhost, 172.18.0.4 is the IP Address of vernemq docker container, 8081 is the expected SSL default port (listener) and key/cert are provided
    and this is the outcome (I suppose it means the TLS listener works):
    Text

Question

How can I test this using mosquitto client or any other mqtt client?
I want to use TLS based connection when publishing and subscribing.

When I don’t use TLS, this is how I execute mosquitto_sub (subscription client):

mosquitto_sub -h <ip_address> -p 1883 -t topic -d -u user -P password -i client-id

This is the response:
VerneMQ Subscription

When I try to use TLS, I add the –key and –cert options to use private key and certificate:

mosquitto_sub -h <ip_address> -p 1883 -t topic -d -u user -P password -i client-id --key privkey.pem --cert cert.pem

I only get

Client user sending CONNECT

repeatedly. What am I doing wrong?

Source: StackOverflow