Mosquitto MQTT service failed to restart after adding SSL configuration

Question

I'm trying to configure SSL access to my mosquitto bridrge on Amazon EC2, Ubuntu 18 server. I followed the steps described in mosquitto tls docs and ended up with the following files:

1. ca.crt
2. ca.key
3. ca.srl
4. client.crt
5. client.csr
6. client.key
7. server.crt
8. server.csr
9. server.key

in a temporary directory.

Then I copied three files:

sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp server.key /etc/mosquitto/certs/
sudo cp server.crt /etc/mosquitto/certs/

Then I added the following section to the configuration file:

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt

Then I wanted to restart mosquitto:

sudo service mosquitto restart

This doesn't work and responds with

> Job for mosquitto.service failed because the control process exited with error code.
> See "systemctl status mosquitto.service" and "journalctl -xe" for details.

I tried both and there was just information, that the configuration is wrong.

I tried commenting out different lines and the following structure let's the service restart:

listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
#certfile /etc/mosquitto/certs/server.crt

Unfortunatelly, the certfile is nessesary for the configuration to work. I checked the example configuration and the docs, and the certfile is a legal and required parameter.

How can I solve this issue?

Answer 1

I'm running Mosquitto on Ubuntu server. I ran also into Mosquitto failing to start after adding SSL certificates and configuration. I got a standalone certificate from Let’s Encrypt by Certbot tool.

Version information: Ubuntu 18.04.5 LTS, Mosquitto 2.0.4. (MQTT v5.0/v3.1.1/v3.1 broker) and Certbot 1.11.0.

In original and failing configuration the mosquitto was configured to use certificates in /etc/letsencrypt... location.

My solution was to move all certificate files from /etc/letsencrypt/archive/ into /etc/mosquitto/ -folder and make the respective certificate file pointers in mosquitto configuration to point to this location.

Most relevant debugging for the problem in the trouble shooting is available in the logfile /var/log/mosquitto/mosquitto.log file.*

Further info about troubleshooting

Playing around with ownerships did not have any effect, in this case. The final configuration with certificates in /etc/mosquitto/certs folder worked regardless if the owner of the files and certificate containing folder was mosquitto or root.

I also tried not using the symbolic links of .../live/... and tested using directly the files in /etc/letsencrypt/archive/... location instead, did not work.

I did not check if some individual file is causing the issue, just moved them all. Tried afterwards to symlink from ..mosquitto/certs one of the files only to note that mosquitto will fail to start. For this server set-up to run, I need to keep the certificate files in ...mosquitto/certs folder".

Answer 2

Changing the certificate/key permissions fixed the issue for me. E.g.

sudo chmod 744 raspberrypi.crt

sudo chmod 644 raspberrypi.key

As per this forum:- https://github.com/owntracks/tools/issues/6