Connect to external MQTT server with TLS

I have a Smart Meter (AMS) I want to read meter values from to use in Energy. I have a reader from OSS ( which has an API which also provides me access to their MQTT broker with the data.
I want to connect to the MQTT broker, but have not been able to configure this in Home Assistant.

I have been able to connect using MQTT Explorer using the following details:

Port: 8883
Username: my e-mail
Password: My public token
Encyption (tls): enabled (true)
Validate certiicate: disabled (false)

If I add the details in Home Assistant I am not able to make any configuration to add Encryption (tls). I just get an error message from HA (“Failed to connect”). I assume this is because I have not enabled Encryption.

I have tried to add “auto” as described here: MQTT Certificate - Home Assistant

# Example configuration.yaml entry
  certificate: 'auto'

However, this did not help.

I have also tried to generate my own ca.crt and ca.key as described here: [solved] MQTT with SSL/TLS not working with Home Assistant - #11 by fufs
Basically, these:

  1. Create CA private key (recommended to create password)
    $ openssl genrsa -des3 -out ca.key 2048
  2. Generate CA certificate (valid for 20 years)
    $ openssl req -new -x509 -days 7300 -key ca.key -out ca.crt

I have added this to my ssl folder with the below configuration:

  client_cert: /ssl/ca.crt
  client_key: /ssl/ca.key

This did not help. either…

I am a bit lost. Anyone know how I can connect to the broker from HA?

PS! Just to be clear, I do not need to specify any certs or keys when connect using MQTT Explorer, but if I enable the “Validate certificate” I get an error…

I have tried to connect to the MQTT Test server on port 8883, this also fails on Home Assistant, but works on MQTT Explorer when I have TLS enabled but disabled “Validate certificate”.

I have tried a few different configuration options, my current configuration is below.

  certificate: /etc/ssl/certs/ca-certificates.crt
  tls_insecure: true

I have also tried to use:

  certificate: auto
  tls_insecure: true

This did not change anything, still get error when trying to connect…

I am running out of options… I’d appreciate any help!

Hi! I have a very similar problem. I need to connect home assistant to an external mqtt broker configured with SSL/TLS over port 8883.
My configuration requires no username/password, but a fixed clientID, and all the certificates.
My configuration works perfectly fine when I test it with an external tool like MQTT explorer, but when I use the same data setting up MQTT in home assistant I get a “impossible to connect” error.
I am also not able to find any log concerning the error, so this is proving very difficult to debug.
My configuration:

port: 8883
username: (empty)
password: (empty)
clientId: xxx
Use a client certificate: on (with the certificates added)
Broker certificate validation: off (I tried also custom, with the .pem file, but it does not work either)

Do you have any insight (or at least a way to debug better what is happening?)

Thank you

The certificate: param is the CA certificate you get from them. If you weren’t provided one, then that means that it probably is a CA that’s commonly trusted and setting the CA certificate to Auto should work (Note: the documentation you refrenced says to do it in the UI, not YAML). If, however, they use self-signed certificates and don’t provide the CA certificate, then you need to disable CA certificate verification. It used to be that in YAML under mqtt: you would set insecure: true or tls_insecure: true, I don’t remember exactly. Not sure where in the UI it would be.

This is something different all together. client_cert and client_key is used for certificate authentication. You use this instead of a username and a password. From what it seems the broker you’re trying to connect to is using username and password authentication so don’t event bother with those fields.

Try setting the MQTT broker from the UI as it’s the current way to setup mqtt.