我为蚊子创建了自签名CA和证书: https://mosquitto.org/man/mosquitto-tls-7.html和 http://www.steves-internet-guide.com/mosquitto-tls/
然后将这些添加到mosquitto dir并为mosquitto用户进行了chmoded,一般用脚本运行命令来执行以下操作:
- 创建CA
- 创建服务器证书
- 创建客户端证书
#!/bin/bash
# FROM: https://mosquitto.org/man/mosquitto-tls-7.html and
# http://www.steves-internet-guide.com/mosquitto-tls/
set -e
# logging
RESTORE='\033[0m'
RED='\033[00;31m'
GREEN='\033[00;32m'
YELLOW='\033[00;33m'
BLUE='\033[00;34m'
PURPLE='\033[00;35m'
CYAN='\033[00;36m'
LIGHTGRAY='\033[00;37m'
LRED='\033[01;31m'
LGREEN='\033[01;32m'
LYELLOW='\033[01;33m'
LBLUE='\033[01;34m'
LPURPLE='\033[01;35m'
LCYAN='\033[01;36m'
WHITE='\033[01;37m'
REQNUM=0
print_err() {
echo -e "${RED}ERROR $@ ${RESTORE}"
}
print_succ() {
echo -e "${GREEN} SUCCES: $@ ${RESTORE}"
}
print_warn() {
echo -e "${BLUE} WARN: $@ ${RESTORE}"
}
# CA & SRV need to have different params for mosquitto broker to work & to avoid needles asking
SUBJ="-subj "'/C=GB/ST=London/L=London/O='"$((++REQNUM))$1"'/OU=IT_Department/CN=localhost.local'
# gen CA
gen_CA() {
print_warn "generate CA"
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 ${DAYS} -out ca.crt ${SUBJ}
}
# SERVER
gen_server_keys() {
print_warn "Generate a server key"
openssl genrsa ${PSWD} -out server.key 2048 ${SUBJ}
print_warn "Generate a certificate signing request to send to the CA"
openssl req -out server.csr -key server.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt ${DAYS}
}
# CLIENT
gen_client_keys() {
print_warn "Generate a client key"
openssl genrsa ${PSWD} -out client.key 2048 ${SUBJ}
print_warn " Generate a certificate signing request to send to the CA"
openssl req -out client.csr -key client.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -addtrust clientAuth -CAcreateserial -out client.crt ${DAYS}
}
mosq_install() {
print_warn "Install mqtt certs"
sudo systemctl stop mosquitto
sudo cp server.* ca.crt /etc/mosquitto/certs/
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs
sudo bash -c 'cat << EOF > /etc/mosquitto/conf.d/tls.conf
listener 8883
tls_version tlsv1.2
require_certificate false
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
EOF'
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs/ /etc/mosquitto/conf.d/
sudo systemctl restart mosquitto && print_warn "MQTT restarted!"
}
print_help() {
echo "usage: "
echo "--CA or --SRV or --CLI"
echo "--des3 to use passwd on cers"
echo "--days 'N' to use expirydate"
echo "--mosq install to mosquitto certs"
}
[ $1 ] || print_help
for a in $@; do
case "$a" in
"--CA")
gen_CA && print_succ "CA" || print_err "CA failed"
;;
"--SRV")
gen_server_keys && print_succ "server" || print_err "server keys failed"
;;
"--CLI")
gen_client_keys && print_succ "cli" || print_err "client keys failed"
;;
"--pass")
PSWD="-des3"
;;
"--days")
DAYS="-days $2"
shift
;;
"--mosq")
mosq_install && print_succ "" || print_err "install mosquitto"
;;
-h|--help)
print_help
;;
*)
print_help;
echo "bad param! $a"
;;
esac
done
之后我在mosquitto日志中收到错误:
159 1528809795:从/etc/mosquitto/mosquitto.conf加载配置。
160 1528809795:在端口8883上打开ipv4 listen套接字。
161 1528809795:在端口8883上打开ipv6 listen套接字。
162 1528809806:端口8883上127.0.0.1的新连接。
163 1528809806:OpenSSL错误:错误:14094418:SSL例程:ssl3_read_bytes:tlsv1 alert unknown ca
164 1528809806:OpenSSL错误:错误:140940E5:SSL例程:ssl3_read_bytes:ssl握手失败
165 1528809806:客户端出现套接字错误,断开连接 166 1528809809:端口8883上127.0.0.1的新连接
mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
在sourced conf.d dir tls.conf中:
listener 8883
tls_version tlsv1.2
require_certificate true
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
mosquitto_sub命令测试:
mosquitto_sub -h localhost -p 8883 --cafile ca.crt -v -t '#'
我得到的唯一问题是我得到的openssl s_client是: “验证退货代码:18(自签名证书)” 我无法连接python paho mqtt或mosquitto_sub / pub。我想测试localhost上的连接,然后为我的本地网络服务器制作证书,并将其与我的设备一起用于测试 - 但即使在localhost上也无法连接。