[Ovmsdev] MQTT V3 server problems

Craig Leres leres at xse.com
Sat Oct 9 09:22:56 HKT 2021 

My ovms boxes have been posting data to a mosquitto mqtt server for 3+ 
years but this recently broke.

I started out wanting to be able to tell when mqtt data for a particular 
module was stale but I see now that mqtt itself does not track this. I 
found an old stackoverflow that talked about an experimental mosquitto 
plugin to do this but I can't find out anything else about it. Another 
option would be to add a metric/topic with the timestamp of the last 
update. I think I need some guidance here. But given my modules no 
longer are able to connect to the server I need to solve that first.

Back the the main issue, the primary symptom is once a minute or so I see:

     1633741110: Client <unknown> disconnected: Protocol error.
     1633741170: New connection from 108.111.222.33:52860 on port 8883.
     1633741170: OpenSSL Error[0]: error:14094418:SSL 
routines:ssl3_read_bytes:tlsv1 alert unknown ca
     1633741170: Client <unknown> disconnected: Protocol error.

I'm using mosquitto 2.0.10 with lets encrypt certs:

     listener 1883 localhost

     listener 8883
     certfile /usr/local/etc/letsencrypt/live/xse.com/cert.pem
     keyfile /usr/local/etc/letsencrypt/live/xse.com/privkey2.pem
     cafile /usr/local/etc/letsencrypt/live/xse.com/chain.pem

I'm not really sure when things stopped working. I was running 2.0.8 
until sometime in July when the FreeBSD port upgrade to 2.0.10. So maybe 
that broke it; or maybe this is related to the lets encrypt ca change?

Part of my trouble is I don't really understand how mqtt tls works. My 
assumption was ovms uses the https cert and needs a cafile or capath 
that includes the self-signed ca that signed the certs my modules use so 
I changed cafile:

     cafile /usr/local/etc/mosquitto/certs/XSE-RootCA-4.crt

Does ovms generate its own mqtt cert on the fly? Does tls do somethig 
else? Comparing the mosquitto config to what apache needs for https, I 
only see the cert, key, and ca; missing is the chain file. Is the 
problem that my client (the ovms module) can't validate the *server* 
cert? I don't think so since the error message ("alert unknown ca") 
doesn't appear in the mosquitto source and I believe it's openssl code.

Suggestions would be appreciated.

		Craig

More information about the OvmsDev mailing list