-1

我有一个 MQTT 服务器,想开始使用 SSL 而不是普通的 MQTT。我正确配置了服务器以使用我的通配符证书,但如果没有 --capath /etc/ssl/certs 选项,它将无法工作。此外,我的 ZwaveJS2MQTT 实例无法通过 SSL 运行(可能是因为缺少证书路径)。我在多台服务器(Debian、OpenVPN...)上使用通配符证书,从未遇到过此类问题。

在订阅者方面:

pi@raspi1:~ $ mosquitto_sub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave"
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
Client mosqsub|29009-raspi1.sm sending CONNECT
^C
pi@raspi1:~ $ mosquitto_sub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" --capath /etc/ssl/certs
Client mosqsub|29078-raspi1.sm sending CONNECT
Client mosqsub|29078-raspi1.sm received CONNACK (0)
Client mosqsub|29078-raspi1.sm sending SUBSCRIBE (Mid: 1, Topic: zwave, QoS: 0)
Client mosqsub|29078-raspi1.sm received SUBACK
Subscribed (mid: 1): 0
Client mosqsub|29078-raspi1.sm received PUBLISH (d0, q0, r0, m0, 'zwave', ... (4 bytes))
test
^C

在发布者方面:

pi@raspi1:~ $ mosquitto_pub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" -m "test" 
Client mosqpub|29067-raspi1.sm sending CONNECT
Error: The connection was lost.
pi@raspi1:~ $ mosquitto_pub -d -h apollo.hostname.com -u "ha" -p 8883 -P "password" -t "zwave" -m "test" --capath /etc/ssl/certs
Client mosqpub|29069-raspi1.sm sending CONNECT
Client mosqpub|29069-raspi1.sm received CONNACK (0)
Client mosqpub|29069-raspi1.sm sending PUBLISH (d0, q0, r0, m1, 'zwave', ... (4 bytes))
Client mosqpub|29069-raspi1.sm sending DISCONNECT

在我的 wildcare 证书上运行测试时,我看到以下错误:

Certificates provided   3 (3600 bytes)
Chain issues    Incorrect order, Contains anchor
#2
Subject GlobalSign Root CA   In trust store
...
Valid until Fri, 28 Jan 2028 12:00:00 UTC (expires in 6 years and 5 months)
Key RSA 2048 bits (e 65537)
Issuer  GlobalSign Root CA   Self-signed
Signature algorithm SHA1withRSA   Weak, but no impact on root certificate
#3
Subject AlphaSSL CA - SHA256 - G2
...
Valid until Tue, 20 Feb 2024 10:00:00 UTC (expires in 2 years and 6 months)
Key RSA 2048 bits (e 65537)
Issuer  GlobalSign Root CA
Signature algorithm SHA256withRSA

认证路径显示:

Path #1: Trusted
1   Sent by server  *.hostname.com
...
RSA 2048 bits (e 65537) / SHA256withRSA
2   Sent by server  AlphaSSL CA - SHA256 - G2
...
RSA 2048 bits (e 65537) / SHA256withRSA
3   Sent by server
In trust store  GlobalSign Root CA   Self-signed
...
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
4

1 回答 1

1

从 moquitto_pub/mosquitto_sub手册页:

要在使用 x509 证书时启用 TLS 连接,必须提供 --cafile 或 --capath 之一作为选项。

mosquitto 命令行工具没有默认的 CA 证书源,因此要启用基于 TLS 的连接,您必须提供 CA 证书文件或 CA 证书文件目录的路径。

如果提供 CA 证书目录的路径,则必须准备以下内容:

要使 --capath 正常工作,证书文件必须以“.crt”作为文件结尾,并且每次添加/删除证书时都必须运行“openssl rehash”。

于 2021-08-05T20:38:18.667 回答