tomazbracic

tomazbracic

EMQTT client configuration for mTLS

Dear all,

I am building a nerves based firmware where I will be using mTLS. For that I build my own CA and generated all the certificates. For shipping data I will be using emqtt client.

I have successfully connected and I am able to send messages between client and server service which is as well built with elixir. In-between there is NGINX on cloud edge for TLS termination and MQTT broker where messages go to.

WANT TO DO:
gateway <---- mTLS port: 8883 ------> Nginx <---- port: 1883 -----> EMQX broker ↔ my cloud service

TESTING:
mqttx GUI app <---- mTLS port: 8883 ------> Nginx <---- port: 1883 -----> EMQX broker ↔ my cloud service

I can use certificates and test everything with my MQTTX app. It works and I can see client connected to broker.

If I try to use the same certificates later with my “want to do” setup, so in elixir I get full of reconnections in my logs and one of the error that bothers me is something around hostname

16:52:58.810 [notice] TLS :client: In state :wait_cert at ssl_handshake.erl:2182 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}

16:52:58.810 [info] Starting MQTT Client

16:52:58.811 [info] Client ID set to: testko

16:52:58.811 [debug] Timer set to 5000 milliseconds

16:52:58.944 [notice] TLS :client: In state :wait_cert at ssl_handshake.erl:2182 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}

16:52:58.944 [info] Starting MQTT Client

16:52:58.944 [info] Client ID set to: testko

though... I used the same certs in MQTTX app on the same dev laptop and was successfully connected. So I guess there is still configuration issue?

My configuration is

config :testko, :emqtt,
  host: "prefix.mydomain.com",
  port: 8883,
  clientid: "testko",
  clean_start: false,
  ssl: true,
  ssl_opts: [
    cacertfile: "certs/ca-chain.cert.pem",
    certfile: "certs/client3.cert.pem",
    keyfile: "certs/client3.key.pem",
    tls_versions: [:"tlsv1.2", :"tlsv1.3"],
    verify: :verify_peer,
    fail_if_no_peer_cert: true
  ],
  name: :emqtt,
  reconnect: true,
  reconnect_interval: 10000

I even tried puthing cacertfile, certfile and keyfile in single quotes. Nothing really works.

Can anyone see anything problematic in my configuration? Does anybody have emqtt client configured with mTLS and actually works?

I would really appreciate any help/feedback/direction/blog/tutorial/doc where this would be explained.

Thanks in advance!

Tomaz

Most Liked

tomazbracic

tomazbracic

This is now what works. I found the right configuration.

config :testko, :emqtt,
  host: "prefix.mydomain.com",
  port: 8883,
  clientid: "testko",
  clean_start: false,
  ssl: true,
  ssl_opts: [
    cacertfile: ~c"/root/certificates/ca-chain.cert.pem",
    certfile: ~c"/root/certificates/client-nemo_gw_1.cert.pem",
    keyfile: ~c"/root/certificates/client-nemo_gw_1.key.pem",
    tls_versions: [:"tlsv1.2", :"tlsv1.3"],
    verify: :verify_peer,
    server_name_indication: ~c"prefix.mydomain.com"
  ],
  name: :emqtt,
  reconnect: true,
  reconnect_interval: 10000

Thanks for the help.

Where Next?

Popular in Questions Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New

Other popular topics Top

mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 53690 245
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

We're in Beta

About us Mission Statement