EMQTT client configuration for mTLS

Dear all,

I am building a nerves based firmware where I will be using mTLS. For that I build my own CA and generated all the certificates. For shipping data I will be using emqtt client.

I have successfully connected and I am able to send messages between client and server service which is as well built with elixir. In-between there is NGINX on cloud edge for TLS termination and MQTT broker where messages go to.

WANT TO DO:
gateway <---- mTLS port: 8883 ------> Nginx <---- port: 1883 -----> EMQX broker ↔ my cloud service

TESTING:
mqttx GUI app <---- mTLS port: 8883 ------> Nginx <---- port: 1883 -----> EMQX broker ↔ my cloud service

I can use certificates and test everything with my MQTTX app. It works and I can see client connected to broker.

If I try to use the same certificates later with my “want to do” setup, so in elixir I get full of reconnections in my logs and one of the error that bothers me is something around hostname

16:52:58.810 [notice] TLS :client: In state :wait_cert at ssl_handshake.erl:2182 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}

16:52:58.810 [info] Starting MQTT Client

16:52:58.811 [info] Client ID set to: testko

16:52:58.811 [debug] Timer set to 5000 milliseconds

16:52:58.944 [notice] TLS :client: In state :wait_cert at ssl_handshake.erl:2182 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}

16:52:58.944 [info] Starting MQTT Client

16:52:58.944 [info] Client ID set to: testko

though... I used the same certs in MQTTX app on the same dev laptop and was successfully connected. So I guess there is still configuration issue?

My configuration is

config :testko, :emqtt,
  host: "prefix.mydomain.com",
  port: 8883,
  clientid: "testko",
  clean_start: false,
  ssl: true,
  ssl_opts: [
    cacertfile: "certs/ca-chain.cert.pem",
    certfile: "certs/client3.cert.pem",
    keyfile: "certs/client3.key.pem",
    tls_versions: [:"tlsv1.2", :"tlsv1.3"],
    verify: :verify_peer,
    fail_if_no_peer_cert: true
  ],
  name: :emqtt,
  reconnect: true,
  reconnect_interval: 10000

I even tried puthing cacertfile, certfile and keyfile in single quotes. Nothing really works.

Can anyone see anything problematic in my configuration? Does anybody have emqtt client configured with mTLS and actually works?

I would really appreciate any help/feedback/direction/blog/tutorial/doc where this would be explained.

Thanks in advance!

Tomaz

I tested the certificates with openssl tool as well. Based on that PKI part is ok. mTLS works. But how to configure this with emqtt is now a mistery to me.

As mentioned on slack many of those setting need to be charlists instead of binaries based on the specs on the emqtt repo and ones pointed to on OTP:

  • host
  • ssl_opts → all …_file ones

You can prefix the quoted values with ~c"…" to make them charlists.

clientid is speced as iodata, which is a supertype to binary, so that one is fine.

I did that as well.

config :testko, :emqtt,
  host: ~c"prefix.mydomain.com",
  port: 8883,
  clientid: "testko",
  clean_start: false,
  ssl: true,
  ssl_opts: [
    cacertfile: ~c"certs/ca-chain.cert.pem",
    certfile:
      ~c"certs/client-nemo_gw_3.cert.pem",
    keyfile:
      ~c"certs/client-nemo_gw_3.key.pem",
    tls_versions: [:"tlsv1.2", :"tlsv1.3"],
    verify: :verify_peer,
    log_level: :debug,
    server_name_indication: ~c"prefix.mydomain.com",
    # depth: 3,
    customize_hostname_check: [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
    ],
    fail_if_no_peer_cert: true
  ],
  name: :emqtt,
  reconnect: true,
  reconnect_interval: 10000

And this still don’t work. Though now I get bunch of messages like this - reconnecting

➜  testko git:(drugi) ✗ iex -S mix
Erlang/OTP 27 [erts-15.0.1] [source] [64-bit] [smp:10:10] [ds:10:10:10] [async-threads:1] [jit]


10:05:26.241 [info] Starting MQTT Supervisor

10:05:26.243 [info] Starting MQTT Client

10:05:26.254 [info] Client ID set to: testko

10:05:26.254 [debug] Timer set to 5000 milliseconds
Interactive Elixir (1.17.2) - press Ctrl+C to exit (type h() ENTER for help)

10:05:26.382 [info] Starting MQTT Client

10:05:26.382 [info] Client ID set to: testko

10:05:26.382 [debug] Timer set to 5000 milliseconds

10:05:26.442 [info] Starting MQTT Client

10:05:26.442 [info] Client ID set to: testko

10:05:26.442 [debug] Timer set to 5000 milliseconds

10:05:26.497 [info] Starting MQTT Client

10:05:26.497 [info] Client ID set to: testko

10:05:26.497 [debug] Timer set to 5000 milliseconds

10:05:26.553 [info] Starting MQTT Client

10:05:26.554 [info] Client ID set to: testko

10:05:26.554 [debug] Timer set to 5000 milliseconds

10:05:26.602 [info] Starting MQTT Client

10:05:26.602 [info] Client ID set to: testko

10:05:26.602 [debug] Timer set to 5000 milliseconds

I have not used emqtt, but have 2 thoughts to try:

  • Use absolute paths instead of relative to rule out file structure inconsistency. Or even use the DER format there instead of files just to get it working
  • Many brokers only allow one connection at a time. When I see things seem to connect and then disconnect without much else, it’s usually because the same cert and/or client ID is already connected elsewhere and the broker ungracefully kicks the connection. This could be some test process already connect elsewhere (ie on host) or multiple processes trying to make the connection and getting in each others way

Outside of that, I’m unsure. I think we need the SSL debug logs here to maybe be useful. Or reach out to the library maintainers. There is nothing different starting it on server, host, or nerves device

This is now what works. I found the right configuration.

config :testko, :emqtt,
  host: "prefix.mydomain.com",
  port: 8883,
  clientid: "testko",
  clean_start: false,
  ssl: true,
  ssl_opts: [
    cacertfile: ~c"/root/certificates/ca-chain.cert.pem",
    certfile: ~c"/root/certificates/client-nemo_gw_1.cert.pem",
    keyfile: ~c"/root/certificates/client-nemo_gw_1.key.pem",
    tls_versions: [:"tlsv1.2", :"tlsv1.3"],
    verify: :verify_peer,
    server_name_indication: ~c"prefix.mydomain.com"
  ],
  name: :emqtt,
  reconnect: true,
  reconnect_interval: 10000

Thanks for the help.