[Ovmsdev] MQTT V3 server problems

Mark Webb-Johnson mark at webb-johnson.net
Sat Oct 9 22:58:32 HKT 2021


For the stale data issue the normal way I have done this in the past is to have a ‘connected’ metric showing time of connection, and have that sent after MQTT connection. Client also has a LWT to clear that metric. Then use MQTT keep alive to ensure it is cleared for a jammed connection. I can check that in the next few days.

For the tls issue, it looks like let’s encrypt ca issue. If you are using 3.1.017 that should be resolved. If custom build, make sure you have the correct tls library chosen in menuconfig (not wolf ssl as broken). The server needs to be configured to access a) the key, b) the cert, and c) the chain. Some implementation simply concatenation c to b in one file.

When the client connects, the server sends the cert and chain, so client can verify the server.

Regards, Mark

> On 9 Oct 2021, at 9:23 AM, Craig Leres <leres at xse.com> wrote:
> 
> 
> My ovms boxes have been posting data to a mosquitto mqtt server for 3+ years but this recently broke.
> 
> I started out wanting to be able to tell when mqtt data for a particular module was stale but I see now that mqtt itself does not track this. I found an old stackoverflow that talked about an experimental mosquitto plugin to do this but I can't find out anything else about it. Another option would be to add a metric/topic with the timestamp of the last update. I think I need some guidance here. But given my modules no longer are able to connect to the server I need to solve that first.
> 
> Back the the main issue, the primary symptom is once a minute or so I see:
> 
>    1633741110: Client <unknown> disconnected: Protocol error.
>    1633741170: New connection from 108.111.222.33:52860 on port 8883.
>    1633741170: OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
>    1633741170: Client <unknown> disconnected: Protocol error.
> 
> I'm using mosquitto 2.0.10 with lets encrypt certs:
> 
>    listener 1883 localhost
> 
>    listener 8883
>    certfile /usr/local/etc/letsencrypt/live/xse.com/cert.pem
>    keyfile /usr/local/etc/letsencrypt/live/xse.com/privkey2.pem
>    cafile /usr/local/etc/letsencrypt/live/xse.com/chain.pem
> 
> I'm not really sure when things stopped working. I was running 2.0.8 until sometime in July when the FreeBSD port upgrade to 2.0.10. So maybe that broke it; or maybe this is related to the lets encrypt ca change?
> 
> Part of my trouble is I don't really understand how mqtt tls works. My assumption was ovms uses the https cert and needs a cafile or capath that includes the self-signed ca that signed the certs my modules use so I changed cafile:
> 
>    cafile /usr/local/etc/mosquitto/certs/XSE-RootCA-4.crt
> 
> Does ovms generate its own mqtt cert on the fly? Does tls do somethig else? Comparing the mosquitto config to what apache needs for https, I only see the cert, key, and ca; missing is the chain file. Is the problem that my client (the ovms module) can't validate the *server* cert? I don't think so since the error message ("alert unknown ca") doesn't appear in the mosquitto source and I believe it's openssl code.
> 
> Suggestions would be appreciated.
> 
>        Craig
> _______________________________________________
> OvmsDev mailing list
> OvmsDev at lists.openvehicles.com
> http://lists.openvehicles.com/mailman/listinfo/ovmsdev



More information about the OvmsDev mailing list