Configure HA to use MQTTS

I have reconfigured my mosquitto instance to run over TLS and this is working fine and I have managed to get Zigbee2MQTT to connect up fine.

I cannot however get HA to connect. The front end only allows broker, username and password so I configured mqtt via configuration.yaml but that seemed to only want to connect as MQTT not MQTTS so got rejected by mosquitto.

My Mosquitto config is just

listener 8883
protocol mqtt

cafile /mosquitto/config/ca.pem
keyfile /mosquitto/config/mosquitto.key.pem
certfile /mosquitto/config/mosquitto.cert.pem

and I can connect fine over TLS from MQTT browser.

zigbee2mqtt config is then

mqtt:
  base_topic: zigbee2mqtt
  server: 'mqtts://mosquitto:8883'
  ca: /app/data/root-ca.pem
  reject_unauthorized: false
  user: xxx
  password: yyy

and this connects and works fine.

HA however I cannot get to work.

mqtt:
  broker: <IP>
  port: 8883
  client_id: home_assistant
  username: !secret MQTT_user
  password: !secret MQTT_pass
  certificate: '/config/root.ca.pem'
  discovery: true
  tls_insecure: true

but after fiddling around with this it either doesn’t connect at all or I see a protocol error in mosquitto (the same one I saw before I changed the server in zigbee2mqtt to mqtts)

Is this possible to achieve (even if it is via yaml) ?

Answering my own question but I have this working.
The issue appears to be that the certificate entry needed both the root and intermediate certificate added.

I have now moved to client certificates with

mqtt:
  broker: mosquitto.mikeynet
  port: 8883
  client_id: home_assistant
  certificate: '/config/root.ca.pem'
  discovery: true
  discovery_prefix: homeassistant
  client_key: '/config/key.pem'
  client_cert: '/config/cert.pem'
  tls_insecure: false

and now everything is working. I have a feeling I should have upped the log levels for MQTT to debug this earlier but all is now good.

1 Like

Thanks a lot this works for me.