Dear all,
I am building a nerves based firmware where I will be using mTLS. For that I build my own CA and generated all the certificates. For shipping data I will be using emqtt client.
I have successfully connected and I am able to send messages between client and server service which is as well built with elixir. In-between there is NGINX on cloud edge for TLS termination and MQTT broker where messages go to.
WANT TO DO:
gateway <---- mTLS port: 8883 ------> Nginx <---- port: 1883 -----> EMQX broker ↔ my cloud service
TESTING:
mqttx GUI app <---- mTLS port: 8883 ------> Nginx <---- port: 1883 -----> EMQX broker ↔ my cloud service
I can use certificates and test everything with my MQTTX app. It works and I can see client connected to broker.
If I try to use the same certificates later with my “want to do” setup, so in elixir I get full of reconnections in my logs and one of the error that bothers me is something around hostname
16:52:58.810 [notice] TLS :client: In state :wait_cert at ssl_handshake.erl:2182 generated CLIENT ALERT: Fatal - Handshake Failure
- {:bad_cert, :hostname_check_failed}
16:52:58.810 [info] Starting MQTT Client
16:52:58.811 [info] Client ID set to: testko
16:52:58.811 [debug] Timer set to 5000 milliseconds
16:52:58.944 [notice] TLS :client: In state :wait_cert at ssl_handshake.erl:2182 generated CLIENT ALERT: Fatal - Handshake Failure
- {:bad_cert, :hostname_check_failed}
16:52:58.944 [info] Starting MQTT Client
16:52:58.944 [info] Client ID set to: testko
though... I used the same certs in MQTTX app on the same dev laptop and was successfully connected. So I guess there is still configuration issue?
My configuration is
config :testko, :emqtt,
host: "prefix.mydomain.com",
port: 8883,
clientid: "testko",
clean_start: false,
ssl: true,
ssl_opts: [
cacertfile: "certs/ca-chain.cert.pem",
certfile: "certs/client3.cert.pem",
keyfile: "certs/client3.key.pem",
tls_versions: [:"tlsv1.2", :"tlsv1.3"],
verify: :verify_peer,
fail_if_no_peer_cert: true
],
name: :emqtt,
reconnect: true,
reconnect_interval: 10000
I even tried puthing cacertfile, certfile and keyfile in single quotes. Nothing really works.
Can anyone see anything problematic in my configuration? Does anybody have emqtt client configured with mTLS and actually works?
I would really appreciate any help/feedback/direction/blog/tutorial/doc where this would be explained.
Thanks in advance!
Tomaz