Re: [mosquitto-dev] Upgrade from 1.x to 2.0.14 - Unable to load server c

[Manuel Domínguez Dorado <ingeniero@xxxxxxxxxxxxxxxxxxx>]

Have you check the permissions of /etc/mosquitto/certs directory?

El dom., 26 dic. 2021 16:54, Sebastião Holbeche Beirão via mosquitto-dev <mosquitto-dev@xxxxxxxxxxx> escribió:

I have updated my broker to version 2.0.14 and now I'm unable to start it with anything other than simple MQTT protocol. Everything that has to have certificates causes the broker to fail to start.

I have already checked the link Migrating from 1.x to 2.0 and I have already implemented the renewal hook scrip with success but the broker still does not work.

My /etc/mosquitto/mosquitto.conf looks like this:

# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example

pid_file /var/run/mosquitto/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

allow_anonymous false

include_dir /etc/mosquitto/conf.d

My /etc/mosquitto/conf.d/default.conf file looks like this:

allow_anonymous false
password_file /etc/mosquitto/passwd

# Verbose debugging for now.  YOU PROBABLY SHOULD NOT ENABLE THIS IN A PRODUCTION ENVIRONMENT!
log_type all debug
log_timestamp_format %Y-%m-%d_%H:%M:%S

listener 1883
protocol mqtt


autosave_interval 10
autosave_on_changes false

listener 8883
certfile /etc/mosquitto/certs/fullchain.pem
keyfile /etc/mosquitto/certs/privkey.key

sys_interval 1

Being fullchain.pem the fullchain.pem file generated by Let's encrypt and privkey.key the privkey.pem file generated by Let's encrypt.

My permissions look like this:

root@tsb:/etc/mosquitto/certs# ls -l
total 16
-rw-r----- 1 root mosquitto 3750 Dec 26 15:30 chain.pem
-rw-r----- 1 root mosquitto 5629 Dec 26 02:49 fullchain.pem
-rw-r----- 1 root mosquitto 1704 Dec 26 02:49 privkey.key

My /lib/systemd/system/mosquitto.service looks like this:

[Unit]
Description=Mosquitto MQTT Broker
Documentation=man:mosquitto.conf(5) man:mosquitto(8)
After=network.target
Wants=network.target

[Service]
Type=notify
NotifyAccess=main
ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto
ExecStartPre=/bin/chown mosquitto /var/log/mosquitto
ExecStartPre=/bin/mkdir -m 740 -p /var/run/mosquitto
ExecStartPre=/bin/chown mosquitto: /var/run/mosquitto

[Install]
WantedBy=multi-user.target

And when I start the broker I get the following error:

ubuntu@tsb:~$ mosquitto -c /etc/mosquitto/conf.d/default.conf
2021-12-26_03:38:23: mosquitto version 2.0.14 starting
2021-12-26_03:38:23: Config loaded from /etc/mosquitto/conf.d/default.conf.
2021-12-26_03:38:23: Opening ipv4 listen socket on port 1883.
2021-12-26_03:38:23: Opening ipv6 listen socket on port 1883.
2021-12-26_03:38:23: Opening ipv4 listen socket on port 8883.
2021-12-26_03:38:23: Opening ipv6 listen socket on port 8883.
2021-12-26_03:38:23: Error: Unable to load server certificate "/etc/mosquitto/certs/fullchain.pem". Check certfile.
2021-12-26_03:38:23: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
2021-12-26_03:38:23: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib
2021-12-26_03:38:23: OpenSSL Error[2]: error:140DC002:SSL routines:use_certificate_chain_file:system lib

Thanks in advance for the help!

Best regards,

Sebastião Beirão

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev