My ovms boxes have been posting data to a mosquitto mqtt server for 3+ years but this recently broke.
I started out wanting to be able to tell when mqtt data for a particular module was stale but I see now that mqtt itself does not track this. I found an old stackoverflow that talked about an experimental mosquitto plugin to do this but I can't find out anything else about it. Another option would be to add a metric/topic with the timestamp of the last update. I think I need some guidance here. But given my modules no longer are able to connect to the server I need to solve that first.
Back the the main issue, the primary symptom is once a minute or so I see:
1633741110: Client <unknown> disconnected: Protocol error.
1633741170: New connection from 108.111.222.33:52860 on port 8883.
1633741170: OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca 1633741170: Client <unknown> disconnected: Protocol error.
I'm using mosquitto 2.0.10 with lets encrypt certs:
listener 1883 localhost
listener 8883
certfile /usr/local/etc/letsencrypt/live/xse.com/cert.pem
keyfile /usr/local/etc/letsencrypt/live/xse.com/privkey2.pem
cafile /usr/local/etc/letsencrypt/live/xse.com/chain.pemI'm not really sure when things stopped working. I was running 2.0.8 until sometime in July when the FreeBSD port upgrade to 2.0.10. So maybe that broke it; or maybe this is related to the lets encrypt ca change?
Part of my trouble is I don't really understand how mqtt tls works. My assumption was ovms uses the https cert and needs a cafile or capath that includes the self-signed ca that signed the certs my modules use so I changed cafile:
cafile /usr/local/etc/mosquitto/certs/XSE-RootCA-4.crtDoes ovms generate its own mqtt cert on the fly? Does tls do somethig else? Comparing the mosquitto config to what apache needs for https, I only see the cert, key, and ca; missing is the chain file. Is the problem that my client (the ovms module) can't validate the *server* cert? I don't think so since the error message ("alert unknown ca") doesn't appear in the mosquitto source and I believe it's openssl code.
Suggestions would be appreciated.
Craig