Question

Hi guys,
I need to establish a secure connection (TLS) with my MQTT Broker (Teltonika Broker).
I  added the 3 files (CA root file, server certificate and the server's private key) but unfortunately it didn't succeeded , I tested it with my MQTT client and OpenSSL (OpenSSL used only to verify the handshake here), I am always getting "Connection refused".
I think that the server (MQTT broker) is refusing the connection for some reasons.

Here is the configuration:

 

So I have some questions here:
-What's the file's format : Binary file or ASCII file (you demand a *.crt file so It's a ASCII file , just asking to be sure here ).
-the CA file here is to let the server to check the client ?? (the server needs only two files : server's certificate and his private key unless we want to check also the client authentication ).
-For the CA file , what is a *.ca file ?? ( I only know *.pem, *.crt, *.der, *.cer and others but not *.ca file).

Here are the files, if you need to do some tests on it:
MQTT_Broker_SSL_Files

Device version: RUT950 - 1410L0  ; Batch no : 0014  ; HW rev: 0202.
Firmware version : RUT9XX_R_00.06.00
Kernel version : 3.18.44
BootLoader version : 1.0.0

 

Best Regards.
Omar
 

Comments

Is there any answer here ?? It's urgent please.

---

Hello,

When you was creating .csr file, what value you have enter in Common name? Since it must be domain name of the server, in your case router domain name or IP address.

---

Hi Tomas,

Thank you for your reply,
I changed the common name to my router's IP address, but unfortunately it didn't. succeed.
I am still getting 'Connection Refused'.
So I used WireShark to follow the handshake process, here is an image:

I thing before getting into the SSL handshake process, I have problem with the TCP handshake, it seems like the server’s socket is closed. 

Troubleshoot file

Best Regards.

---

Hi,

I have check your troubleshoot file and noticed that MQTT broker service is not running in the first place.

In CLI check running processes with command ps and network status with command netstat -tupan. There you have to find similar lines if MQTT broker process is active:

ps

12196 root      3796 S    /usr/sbin/mosquitto -d -c /etc/mosquitto.conf

nestat -tupan

tcp        0      0 0.0.0.0:8883            0.0.0.0:*               LISTEN      12196/mosquitto
tcp        0      0 :::8883                 :::*                    LISTEN      12196/mosquitto

This issue can be related with firmware, since you are using RUT9XX_R_00.06.00, which is not latest version. Try to flash new FW version RUT9XX_R_00_06.05.3 (https://wiki.teltonika.lt/view/RUT9xx_Firmware). With this version I have tested and MQTT broker with SSL and it worked as expected. Both subscribers and publishers was able to connect and receive, send messages.

Since I don't know how you have generated your keys, there might be an issue with server key. Try to generate server key without encryption (more information about this: http://www.steves-internet-guide.com/mosquitto-tls/):

openssl genrsa -out server.key 2048

 

Answer 1

Hi Tomas,

There is no issue with the certificates and key, they work just fine and I have been testing them with my local mosquito broker and no problems were faced.

Yesterday, our team have discovered the issue, and yes like you said, the MQTT broker service is not running and the server’s socket was closed in the first place.

So, we flashed the device with a newer version RUT9XX_R_00_06.05.1 (We work only with firmware used in mass production), and the problem was resolved.
Why we didn’t upgrade to a newer firmware version in the first place ? Each time we check for a new FW, it says “No update available”.

So we downloaded a new FW from Wiki.Teltonika.It and upgrade it manually.

Also, with the FW version RUT9XX_R_00_06.05.1, I think there is bug, when you upload the SSL files and then you disable the TLS/SSL option and enable it again, the files are gone, so each time I activate the SSL, I need to upload all files again and again.

Nevertheless, I really appreciate your effort here and I would like to thank you for your help.

Best regards.

Omar