As expected, TLS is what breaks first.
I connect the iOS owntracks app in Private mode with activated TLS and authentication, so I have that going for me - which is nice.
MQTT setup was done using https://github.com/padelt/docker-owntracks-private-mqtt-broker , so mosquitto 1.4.2 is listening.
When recorder is connecting, it logs this:
2015-09-18 16:14:22,603 DEBG 'mosquitto' stdout output:
1442592862: OpenSSL Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
1442592862: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1442592862: Socket error on client <unknown>, disconnecting.
2015-09-18 16:14:32,633 DEBG 'mosquitto' stdout output:
1442592872: New connection from 178.201.xxx.xxx on port 1883.
Recorder repeatedly logs this:
Sep 18 16:12:21 pa15.local ot-recorder[4327] <Info>: MQTT connection: rc=8 [A TLS error occurred.]. Sleeping...
Config in /usr/local/etc/ot-recorder.sh
is:
export OTR_HOST="my.host.name" # MQTT hostname
export OTR_PORT="1883" # MQTT port (set to 8883 for TLS and define OTR_CAFILE)
export OTR_USER="client2" # broker user name
export OTR_PASS="whatever" # broker password
export OTR_CAFILE="/Users/pa/owntracks/ca.crt" # PEM CA certificate chain for broker
opts="${opts} --http-host 127.0.0.1 --http-port 8083 -D"
exec "/usr/local/sbin/ot-recorder" ${opts} "owntracks/#"
The CA certificat is what signed the mosquitto-server-certificate.
Mosquitto's config is basically this:
id_file /var/run/mosquitto.pid
persistence true
persistence_location /volume/data/
user mosquitto
port 1883
log_dest file /volume/log/mosquitto.log
log_dest stdout
cafile /volume/config/tls/ca.crt
certfile /volume/config/tls/server.crt
keyfile /volume/config/tls/server.key
require_certificate false
allow_anonymous false
password_file /volume/config/clients/passwd
How can I debug the actual cause of the failure?
I assumed that recorder takes the OTR_CAFILE contents to validate the certifcate presented by mosquitto. recorder does not get any certifcate itself, so it will not send one to mosquitto. That should be fine with mosquitto, since require_certificate
is false.
Help!?