Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Upgrade from 1.x to 2.0.14 - Unable to load server certificate
I have just checked that and the permissions were:

root@tsb:/etc/mosquitto# ls -l 
total 20
drwxr-xr-x 2 root root      4096 Dec 26 02:45 ca_certificates
drwx------ 2 root mosquitto 4096 Dec 26 15:30 certs
drwxr-xr-x 2 root root      4096 Dec 26 16:23 conf.d
-rw-r--r-- 1 root root       382 Dec 26 04:02 mosquitto.conf
-rw-r--r-- 1 root mosquitto  113 Dec 26 02:46 passwd

I have tried to change it with: chmod g+rx certs/ and now the permission are:

root@tsb:/etc/mosquitto# ls -l 
total 20
drwxr-xr-x 2 root root      4096 Dec 26 02:45 ca_certificates
drwxr-x--- 2 root mosquitto 4096 Dec 26 15:30 certs
drwxr-xr-x 2 root root      4096 Dec 26 16:27 conf.d
-rw-r--r-- 1 root root       382 Dec 26 04:02 mosquitto.conf
-rw-r--r-- 1 root mosquitto  113 Dec 26 02:46 passwd

This made the broker be able to start. I’m just not sure if this should be the right permissions settings. It would be nice to update the page Migrating from 1.x to 2.0 with some clear permissions guidelines. There is not much info on the web about what the right permissions should be.

Thanks in advance.

No dia 26/12/2021, às 16:06, Manuel Domínguez Dorado <ingeniero@xxxxxxxxxxxxxxxxxxx> escreveu:

Have you check the permissions of /etc/mosquitto/certs directory?

El dom., 26 dic. 2021 16:54, Sebastião Holbeche Beirão via mosquitto-dev <mosquitto-dev@xxxxxxxxxxx> escribió:
I have updated my broker to version 2.0.14 and now I'm unable to start it with anything other than simple MQTT protocol. Everything that has to have certificates causes the broker to fail to start.

I have already checked the link Migrating from 1.x to 2.0 and I have already implemented the renewal hook scrip with success but the broker still does not work.

My /etc/mosquitto/mosquitto.conf looks like this:

# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example

pid_file /var/run/mosquitto/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

allow_anonymous false

include_dir /etc/mosquitto/conf.d

My /etc/mosquitto/conf.d/default.conf file looks like this:

allow_anonymous false
password_file /etc/mosquitto/passwd

# Verbose debugging for now.  YOU PROBABLY SHOULD NOT ENABLE THIS IN A PRODUCTION ENVIRONMENT!
log_type all debug
log_timestamp_format %Y-%m-%d_%H:%M:%S

listener 1883
protocol mqtt


autosave_interval 10
autosave_on_changes false

listener 8883
certfile /etc/mosquitto/certs/fullchain.pem
keyfile /etc/mosquitto/certs/privkey.key

sys_interval 1

Being fullchain.pem the fullchain.pem file generated by Let's encrypt and privkey.key the privkey.pem file generated by Let's encrypt.

My permissions look like this:

root@tsb:/etc/mosquitto/certs# ls -l
total 16
-rw-r----- 1 root mosquitto 3750 Dec 26 15:30 chain.pem
-rw-r----- 1 root mosquitto 5629 Dec 26 02:49 fullchain.pem
-rw-r----- 1 root mosquitto 1704 Dec 26 02:49 privkey.key

My /lib/systemd/system/mosquitto.service looks like this:

[Unit]
Description=Mosquitto MQTT Broker
Documentation=man:mosquitto.conf(5) man:mosquitto(8)
After=network.target
Wants=network.target

[Service]
Type=notify
NotifyAccess=main
ExecStart=/usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto
ExecStartPre=/bin/chown mosquitto /var/log/mosquitto
ExecStartPre=/bin/mkdir -m 740 -p /var/run/mosquitto
ExecStartPre=/bin/chown mosquitto: /var/run/mosquitto

[Install]
WantedBy=multi-user.target

And when I start the broker I get the following error:

ubuntu@tsb:~$ mosquitto -c /etc/mosquitto/conf.d/default.conf
2021-12-26_03:38:23: mosquitto version 2.0.14 starting
2021-12-26_03:38:23: Config loaded from /etc/mosquitto/conf.d/default.conf.
2021-12-26_03:38:23: Opening ipv4 listen socket on port 1883.
2021-12-26_03:38:23: Opening ipv6 listen socket on port 1883.
2021-12-26_03:38:23: Opening ipv4 listen socket on port 8883.
2021-12-26_03:38:23: Opening ipv6 listen socket on port 8883.
2021-12-26_03:38:23: Error: Unable to load server certificate "/etc/mosquitto/certs/fullchain.pem". Check certfile.
2021-12-26_03:38:23: OpenSSL Error[0]: error:0200100D:system library:fopen:Permission denied
2021-12-26_03:38:23: OpenSSL Error[1]: error:20074002:BIO routines:file_ctrl:system lib
2021-12-26_03:38:23: OpenSSL Error[2]: error:140DC002:SSL routines:use_certificate_chain_file:system lib
Thanks in advance for the help!

Best regards,
Sebastião Beirão
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

Back to the top